Crashing Skype with a Malicious URL

by Peter Jaric

Some time ago I noticed that it is possible to create Skype links for starting a chat with your account. This is how one of these URIs would look:

skype:#accountname/$*T;somenumber?chat

I started to play around with this and soon noticed that if you changed the “T” to a “U” and opened the URL in your browser (Chrome or Firefox, strangely it didn’t work on IE), Skype would hang or crash (after allowing Skype to open it, if that wasn’t previously set to yes as default). As I have near to zero experience with exploiting that kind of thing, and since I didn’t have time to learn it right then, I just sent this simple PoC to Microsoft Security:

<iframe src="skype:%23 SECURITY UPDATE %2F%24*U%3B 2015 ?chat">

(I tried to make a convincing message to trick the user into clicking OK, but that’s only necessary if Skype isn’t allowed to open Skype-URIs already.)

A little while ago I got this back from them:

We have completed our investigations regarding the issue you have reported and it has been fixed. We will be acknowledging your name in our Security Researchers webpage for the month of March.

It was interesting to see if a flaw in a desktop app would give me something more than a Hall of Fame mention, but I guess you need to at least provide some kind of exploit for that.

(For the record, Microsoft Security told me it was OK to post this.)