Skype for iPhone users can have their address book stolen with a chat message
It seems that there is a vulnerability in the most up-to-date (3.0.1) and some previous versions of theSkype for iPhone app. The vulnerability makes it possible for a chat message to be sent to a victim’s account, some code is run automatically when it is received, and the address book contents is uploaded to a server of choice without the victim’s knowledge.
The attacker can actually gain access to the user’s file system, but is limited to accessing data only the Skype app has permission to view. In this case it makes the address book a prime target and open to (easy) access.
Luckily this is just a proof of concept, but a dangerous one nonetheless. The victim will have no clue their database has been stolen as there is no way to tell it is happening other than a sudden increase in data being sent that is not registered visually by the phone.
As soon as Skype hear about this proof of concept I expect there will be a Skype for iPhone app update being rolled out as soon as possible.
Read more at Supervr Security Blog