Skype knew about IP address security flaw back in 2010

Summary:Security researchers say they informed Skype of the IP address flaw some 18 months ago. Even more worrying, Microsoft has yet to state that a patch is coming and when to expect its release.

Earlier this week, news broke that Microsoft-owned Skype is leaking sensitive user data, including internal and external IP addresses, and TCP ports. The issue was publicly disclosed and my colleague Ryan Naraine confirmed that a web-based tool is available to help attackers pinpoint the last known IP address of a Skype user. He also noted that an attacker with a Skype username can siphon addition information, like their city, country, and Internet service provider (ISP).

Now we're learning that Skype was informed of this security flaw over a year ago. The security researchers who discovered the vulnerability are part of the French research institute Inria and the Polytechnic Institute of New York University. Stevens Le Blond, the group lead, told the WSJ over the phone that they shared their original findings with Skype in November 2010.

In October 2011, they published results showing how to surreptitiously track the city-level location of 10,000 Skype users for two weeks. Given how popular Skype is in the industry, the researchers described how the flaw could be used for corporate espionage: a firm could track the movements of rival employees as they travel to determine where they're doing business and with whom.

Last week, Le Blond re-tested his research and found Skype still had not fixed the vulnerability. He also noted the information could be used as a first step for hacking into an executive's computer.

The news makes Skype's statement about the situation look very out of place. "We are investigating reports of a new tool that captures a Skype user’s last known IP address," a Skype spokesperson said in a statement. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

Yes, the tool is new, but that's not the full story. "By calling it a 'new tool' it means they don't have to respond as urgently," Le Blond said. "It makes it seem like they just found out."

I have contacted Microsoft for more information and will update you if I hear back.

Update at 12:00 PM PST - Microsoft told me that the above is the latest statement and declined to comment further.

See also:

Topics: Social Enterprise, Collaboration, Networking, Security

About

Emil is a freelance journalist writing for CNET and ZDNet. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.