An Australian security researcher stumbled across a significant vulnerability during routine use of the VOIP service.
Skype has since patched the vulnerability, which allowed attackers to take control of a computer via malicious messaging – but waited weeks before telling users the fix was available.
The vulnerability was first spotted by chance by Australian security researcher Gordon Maddern of Pure Hacking, who stumbled across the weakness during routine use of Skype.
“I was chatting on Skype to a colleague about a payload for one of our clients – and completely by accident, my payload executed in my colleague's Skype client,” Maddern wrote in a blog post.
“I found that the Windows and Linux clients were not vulnerable and figured out what was needed to execute code. So I put together a proof of concept using metasploit and meterpreter as a payload - and I was able to remotely gain a shell,” he said.
"The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim's Mac. It is extremely wormable and dangerous.”
Pure Hacking said it wouldn't release further details about the flaw until a fix had been made available, criticising Skype for taking a month to release a patch.
However, Skype said it issued a manual patch last month, but didn't publicise it because the VoIP firm hadn't seen widespread exploits of the vulnerability, said Adrian Asher on the Skype blog.
"As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week."
The patch is available here in the meantime.