In new skype video chat, every user is able to insert a video in his own mood.
And this is the result:

1) Prepare your XSS injection

(Pics from critical)

2) Exploit it !

(Pics from critical)

It seems that skype trusts on 3rd part links without control-it !

We were able to find some permanent XSS vectors in videos have a ‘Title’ field, which is not properly filtered and returned to user in certain conditions. So it becomes possible to execute malicious script content when user is searching for a video to add to his mood. You may also test it by entering word ‘saugumas’ in video search field.

Original post: ( )