Skype knew about IP address security flaw back in 2010

Skype knew about IP address security flaw back in 2010

Summary: Security researchers say they informed Skype of the IP address flaw some 18 months ago. Even more worrying, Microsoft has yet to state that a patch is coming and when to expect its release.


Earlier this week, news broke that Microsoft-owned Skype is leaking sensitive user data, including internal and external IP addresses, and TCP ports. The issue was publicly disclosed and my colleague Ryan Naraine confirmed that a web-based tool is available to help attackers pinpoint the last known IP address of a Skype user. He also noted that an attacker with a Skype username can siphon addition information, like their city, country, and Internet service provider (ISP).

Now we're learning that Skype was informed of this security flaw over a year ago. The security researchers who discovered the vulnerability are part of the French research institute Inria and the Polytechnic Institute of New York University. Stevens Le Blond, the group lead, told the WSJ over the phone that they shared their original findings with Skype in November 2010.

In October 2011, they published results showing how to surreptitiously track the city-level location of 10,000 Skype users for two weeks. Given how popular Skype is in the industry, the researchers described how the flaw could be used for corporate espionage: a firm could track the movements of rival employees as they travel to determine where they're doing business and with whom.

Last week, Le Blond re-tested his research and found Skype still had not fixed the vulnerability. He also noted the information could be used as a first step for hacking into an executive's computer.

The news makes Skype's statement about the situation look very out of place. "We are investigating reports of a new tool that captures a Skype user’s last known IP address," a Skype spokesperson said in a statement. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

Yes, the tool is new, but that's not the full story. "By calling it a 'new tool' it means they don't have to respond as urgently," Le Blond said. "It makes it seem like they just found out."

I have contacted Microsoft for more information and will update you if I hear back.

Update at 12:00 PM PST - Microsoft told me that the above is the latest statement and declined to comment further.

See also:

Topics: Social Enterprise, Collaboration, Networking, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is a known risk you accept when you use a product that runs on a FOSS

    stack. It will get much more secure over time as pieces of their backend architecture migrate over to azure. In the mean time Id expect there will probably be some sort of bandaid.
    Johnny Vegas
    • Seriously?

      Seriously, that's what you're going with? The platform it's running on has absolutely nothing to do with it. Have you even looked at what the flaw is? The Skype servers SEND the client the IP address of the other party. It would send the same data regardless of what backend it's running on.

      If I call you up and tell you that you're misinformed and too lazy to do 2 minutes worth of research before you spout inaccuracies, which causes you to cry, are you going to say it wouldn't have happened if I had used Sprint instead of AT&T? If I write you a letter telling you the same, would the problem have been mitigated if I has used UPS instead of USPS to send the letter?

      No. The problem is that the information was sent in the first place, not the delivery method, the paper stock or brand of fountain pen I used.

      Here's a message: "You're misinformed and too lazy to do 2 minutes worth of research so that you have a clue as to what you are talking about." Would zdnet using IIS instead of Apache have changed the message?

      EDIT: Thanks rascellian, you're right. Edited.
      • Wow...

        ...calm down. I disagree with the OP that the problem was caused by Skype being "FOSS" (it's actually not) but there's no reason to call him/her an idiot over it.
    • Re: a product that runs on a FOSS

      If that is so (my information says the opposite), then may be [b] you [/b] are able to get the source code for Skype presented somewhere public.

      HINT : If the source code is not [b] publicly [/b] available, then it is absolutely NOT FOSS.
  • Question...

    ...about this article.

    How long has the tool existed? The upload date on the Pastebin file is Apr. 26th of this year and the Skype build that it instructs you to download is from March 2012. That would indeed make this tool new even if the exploit itself is not new. For example, the "vulnerability" that Firesheep exploited (sniffing unencrypted cookies for Facebook and Twitter out of the ether) was something that anyone running a packet sniffer could already do, but Firesheep turned it into a tool that anyone could use.

    Sure it may be very careful wording to get around the true date of when they knew, but that doesn't make it a lie. On the other hand, if they were presented with the same information last year, along with a "tool" to automate the process, then yes, they lied. Either way, this article doesn't make it clear.
  • Based on article

    Just going by the dates in the article:

    November 2010 - Notified Skype that such a tool was possible.
    October 2011 - Publication of results of tracking. At this point they must have had a working version of the tool for at least 2 weeks, but likely much longer, in order to do the tracking.
    March 2012 - This version of the tool released.

    So while the wording of Skype's response is technically the truth, the existence of the flaw that makes the tool possible was reported long ago.
  • new tool is used to track vice operations

    Careful - I personally think the tool is being used by INTERPOL to track vice activities across boarders. A recent sting operation in Malaysia napped skype users that were moving around to various hotels to avoid having an office that could be traced to a static IPA. Is it really a bug or something that is adding the police?