A vulnerability in Skype that could expose members’ IP addresses may have been known to Skype officials as far back as November 2010. A researcher who first discovered the flaw speculates it may have been left exposed perhaps because it was deeply embedded in the code and could cause other problems, according to a Wall Street Journal blog.
Last week someone posted a simple script on Pastebin to disclose Skype user locations in the patched version of Skype 5.5. After news media picked up the story, Microsoft issued an official statement.
“We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them,” said Adrian Asher, director of product security for Skype.
Microsoft bought Skype for $8.5 billion in October 2011. But security researchers in France and New York said today they alerted Skype to the same vulnerability in November 2010. Their research on the flaw was published the same month Microsoft purchased the company.
As with the most recent hack, the researchers took advantage of a flaw to secretly track down the city-level location of Skype users while they were plugged into the network. Upon hearing about the most recent exploit, the researchers last week investigated and found the same flaw still existed.
“By calling it a ‘new tool’ it means they don’t have to respond as urgently,” team leader Stevens Le Blond of the French research institute Inria told a reporter. “It makes it seem like they just found out.”
The most recent exercise involves turning on file creation in the debugging log and leveraging the search feature to view the unsuspecting user’s vcard, which will generate an IP address in the logs. A WHOIS search can then help track down the target’s city, country, ISP and internal user IP address.
Since Microsoft purchased the peer-to-peer service, with 663 million members and growing, it has begun interegrating it into products like Windows Phone and PlayStation Vita.
And while wildly popular with consumers for its convenience and low costs, Skype has not been widely embraced in the corporate world, which remains wary because of ongoing security concerns.
This latest vulnerability underscores that concern since it can allow hackers to uncover corporate strategies and even hack into executive’s computers that have Skype running on them. Until the vulnerability is resolved, Skype users are urged to sign off when the service is not in use to minimize their risk exposure.