Skype has warned of a flaw in its popular VoIP client software that creates a means for hackers to swipe files from their "buddies". The flaw can be exploited via a malicious constructed Skype URL which initiates the transfer of a single named file to another Skype user.

The security bug stems from an error within the parsing of the parameters passed by the URL handler. This flaw creates a means for hackers to inject commands within a maliciously crafted Skype URL that initiates transfer of a file from one Skype user without requiring the sender to explicitly consent to the action. However, this only works if a trust relationship already exists between the two parties, drastically restricting the scope for mischief.

The bug, which is not easy to exploit, applies only to Skype for Windows and not other versions of the software. Users are advised to update to Skype 2.5, release 2.5.*.79 or Skype 2.0, release 2.0.*.105 or later as explained in an advisory here. ®

Related stories

• Hackers call on Skype to spread Trojan (20 December 2006)
• Skype patches Mac OS X flaw (4 October 2006)
• Fugitive CEO tracked down to Sri Lanka after Skype call (25 August 2006)
• 'Skype clone' surfaces in China (17 July 2006)
• Computex 2006 Intel pitches VoIP card at office-PC users (7 June 2006)
• VoIP firm backs 'virtual' yacht race (6 June 2006)
• PGP creator offers VoIP crypto to Windows users (23 May 2006)
• Infosec Security pros give VoIP the brush-off (27 April 2006)
• Skype uses peer pressure defense to explain China text censorship (20 April 2006)
• Botnet control fears over IP telephony (26 January 2006)
• Analysis Skype explains why security evaluation omitted bug reports (7 November 2005)
• Scramble to fix Skype security bug (25 October 2005)