Skype knew about IP address security flaw since November 2010

Filed Under: Data loss, Featured, Microsoft, Privacy, Vulnerability

SkypeSkype learned about a security hole that reveals users' IP addresses about 18 months ago, according to the security researchers who discovered the vulnerability.

The vulnerability came to light last week, when Pastebin disclosed the simply executed exploit.

The hole allows for the surreptitious downloading of information from Skype users, including a victim's city, country, Internet provider and IP address.

Microsoft now owns the free internet voice and video calling application. Last year, Skype reported that it had 663 million users as of January 2011, 37% of whom reported using it occasionally or often for business.

As CIO Journal's Joel Schectman pointed out, such businesses well might be a bit more leery about that level of use, given Skype's foot-dragging on fixing the flaw.

The researchers who discovered the exploit - they come out of Inria, a French research institute, and the Polytechnic Institute of New York University - told Schectman that they informed Skype of the vulnerability in November 2010.

The team's original research revealed that they could track city-level location of 10,000 Skype users for two weeks.

Couple on video call. Image from ShutterstockThe team's leader, Stevens Le Blond, told CIO Journal that their re-testing revealed last week that they were still able to do just that, since Skype hasn't fixed the vulnerability.

When asked about the open hole, Skype sent out a statement that said it was "investigating reports of a new tool" used to capture IP addresses. Skype and Microsoft declined to comment further.

A "new" tool? Interesting word selection. As Le Blond told CIO Journal, Skype thereby dialed down the urgency of fixing the vulnerability:

"By calling it a 'new tool' it means they don't have to respond as urgently. It makes it seem like they just found out."

How much harm can be done by filching somebody's IP address?

Primarily, it boils down to corporate espionage. The researchers described a scenario in which a corporation could track the movements of its rival's employees as they travel, to determine where they're doing business and, likely, with whom.

Le Blond says that the information could also be used as a first step for hacking into an executive's computer.

Why hasn't Skype fixed it yet? One of the researchers hypothesized that such a fix might entail Skype reaching its hands deep into the guts of embedded code: a tinkering that could require "heavy restructuring" and inadvertently produce new bugs.

Better to hide your head in the sand? Better to call it a "new" tool and hope nobody notices that the researchers' published findings date back to 2010?

Better to keep consumer technologies like Skype out of the business, at least until your infosec people determine how safe it is and manage to put some rules around its usage.

Senior couple on video call image, courtesy of Shutterstock.

, , , , ,

You might like

6 Responses to Skype knew about IP address security flaw since November 2010

  1. Lou Lange · 720 days ago

    Ummmm...would YOU want anyone to be able to track and even SPOOF your IP address.
    Microsoft needs to audit the code...NOW.Find the hole...fix the hole...

  2. Dan · 720 days ago

    So what's the lesson here? That's fairly simple - if you're a corporation don't rely on consumer grade technology which is free. Spend the money and utilize one of the various solutions out there (IBM Sametime, Cisco IP Communicator, Microsoft Office Communicator, etc).

    Can you really blame Skype for not digging apart their script to address a vulnerability (potentially) primarily affecting business users only? Here's a thought, if you want that level of support pay for an organization wide solution.

  3. dclaar · 720 days ago

    Businesses, or perhaps someone communicating with dissidents in, say, China, or Iran.

  4. Kevin · 720 days ago

    Um, can't you just get people to visit a website you set up and capture their ip address like that?

  5. DaveK · 720 days ago

    Generically, this has been an issue since at least 1999. So what?

    http://packetstormsecurity.org/files/11760/aim.2....

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.