In a video posted last weekend, security researcher Phil Purviance shows how to easily extract a users address book using some simple JavaScript code in a Skype chat.
“I’m going to send a user on an iPhone a message, and when he sees the message, the exploit will run,” the narrator says. “When the exploit code is run, the victim’s iPhone will automatically make a new connection to my server to grab a larger payload instructing the victim’s iPhone to upload its entire address book file to the server.”
This bug is due to errors from both parties, Skype for their security flaws within their app, and Apple for allowing every App full access to the address book. The App is still available in iTunes with no update to fix this.
