search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Skype does not properly filter input from external websites

Vulnerability Note VU#248184

Original Release Date: 2008-01-22 | Last Revised: 2008-04-29


The Skype client does not properly filter user-supplied input from websites that provide video content to Skype users.


Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X, and Linux operating systems.

Skype users can include videos from the Dailymotion and other websites in their mood panel. Videos from these websites are also available via the Skype video browser. Skype does not properly filter user-supplied input that is provided from these third-party websites. An attacker may be able to exploit this vulnerability by uploading a specially crafted movie file to a site that provides video content to Skype users.

From SKYPE-SB/2008-001: Skype Cross Zone Scripting Vulnerability:

Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality.

This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE.

In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website.


An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC.

For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used.

The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij.


A remote unauthenticated attacker may be able to execute arbitrary code.


Per SKYPE-SB/2008-001, Skype has temporarily disabled the ability to add videos from the Dailymotion site until an official fix has been made available. Note that the Dailymotion website contained an XSS vulnerability that could be used as an attack vector, and blocking new videos from the Dailymotion website will not completely address this issue.

Include Skype in the Local Machine Zone Lockdown

Configuring Skype to use the Local Machine Zone Lockdown may prevent this vulnerability from being exploited by preventing Skype from evaluating script in the Local Machine Zone. To set Skype in the Local Machine Zone, edit the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown registry entry to include the DWORD value Skype.exe and set the Value data to 1. Skype must be completely quit and restarted for the changes to take effect.

Alternatively, the following text can be saved as a .REG file and imported:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown]

Note that this workaround does not directly address the vulnerability. The workaround may make cause some of Skype's features to fail or to operate with limited functionality.

Vendor Information


Skype Technologies Affected

Updated:  January 22, 2008



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


See for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was disclosed by Miroslav Lucinskij.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 36.09
Date Public: 2008-01-17
Date First Published: 2008-01-22
Date Last Updated: 2008-04-29 16:10 UTC
Document Revision: 43

Sponsored by CISA.