Skype learned about a security hole that reveals users’ IP addresses about 18 months ago, according to the security researchers who discovered the vulnerability.
The vulnerability came to light last week, when Pastebin disclosed the simply executed exploit.
The hole allows for the surreptitious downloading of information from Skype users, including a victim’s city, country, Internet provider and IP address.
Microsoft now owns the free internet voice and video calling application. Last year, Skype reported that it had 663 million users as of January 2011, 37% of whom reported using it occasionally or often for business.
As CIO Journal’s Joel Schectman pointed out, such businesses well might be a bit more leery about that level of use, given Skype’s foot-dragging on fixing the flaw.
The researchers who discovered the exploit – they come out of Inria, a French research institute, and the Polytechnic Institute of New York University – told Schectman that they informed Skype of the vulnerability in November 2010.
The team’s original research revealed that they could track city-level location of 10,000 Skype users for two weeks.
The team’s leader, Stevens Le Blond, told CIO Journal that their re-testing revealed last week that they were still able to do just that, since Skype hasn’t fixed the vulnerability.
When asked about the open hole, Skype sent out a statement that said it was “investigating reports of a new tool” used to capture IP addresses. Skype and Microsoft declined to comment further.
A “new” tool? Interesting word selection. As Le Blond told CIO Journal, Skype thereby dialed down the urgency of fixing the vulnerability:
"By calling it a 'new tool' it means they don't have to respond as urgently. It makes it seem like they just found out."
How much harm can be done by filching somebody’s IP address?
Primarily, it boils down to corporate espionage. The researchers described a scenario in which a corporation could track the movements of its rival’s employees as they travel, to determine where they’re doing business and, likely, with whom.
Le Blond says that the information could also be used as a first step for hacking into an executive’s computer.
Why hasn’t Skype fixed it yet? One of the researchers hypothesized that such a fix might entail Skype reaching its hands deep into the guts of embedded code: a tinkering that could require “heavy restructuring” and inadvertently produce new bugs.
Better to hide your head in the sand? Better to call it a “new” tool and hope nobody notices that the researchers’ published findings date back to 2010?
Better to keep consumer technologies like Skype out of the business, at least until your infosec people determine how safe it is and manage to put some rules around its usage.
Senior couple on video call image, courtesy of Shutterstock.
6 comments on “Skype knew about IP address security flaw since November 2010”
Ummmm…would YOU want anyone to be able to track and even SPOOF your IP address.
Microsoft needs to audit the code…NOW.Find the hole…fix the hole…
So what's the lesson here? That's fairly simple – if you're a corporation don't rely on consumer grade technology which is free. Spend the money and utilize one of the various solutions out there (IBM Sametime, Cisco IP Communicator, Microsoft Office Communicator, etc).
Can you really blame Skype for not digging apart their script to address a vulnerability (potentially) primarily affecting business users only? Here's a thought, if you want that level of support pay for an organization wide solution.
mmm,yes. good input, Dan, thanks.
Businesses, or perhaps someone communicating with dissidents in, say, China, or Iran.
Um, can't you just get people to visit a website you set up and capture their ip address like that?
Generically, this has been an issue since at least 1999. So what?