Skype knew about IP address security flaw back in 2010

Security researchers say they informed Skype of the IP address flaw some 18 months ago. Even more worrying, Microsoft has yet to state that a patch is coming and when to expect its release.
Written by Emil Protalinski, Contributor

Earlier this week, news broke that Microsoft-owned Skype is leaking sensitive user data, including internal and external IP addresses, and TCP ports. The issue was publicly disclosed and my colleague Ryan Naraine confirmed that a web-based tool is available to help attackers pinpoint the last known IP address of a Skype user. He also noted that an attacker with a Skype username can siphon addition information, like their city, country, and Internet service provider (ISP).

Now we're learning that Skype was informed of this security flaw over a year ago. The security researchers who discovered the vulnerability are part of the French research institute Inria and the Polytechnic Institute of New York University. Stevens Le Blond, the group lead, told the WSJ over the phone that they shared their original findings with Skype in November 2010.

In October 2011, they published results showing how to surreptitiously track the city-level location of 10,000 Skype users for two weeks. Given how popular Skype is in the industry, the researchers described how the flaw could be used for corporate espionage: a firm could track the movements of rival employees as they travel to determine where they're doing business and with whom.

Last week, Le Blond re-tested his research and found Skype still had not fixed the vulnerability. He also noted the information could be used as a first step for hacking into an executive's computer.

The news makes Skype's statement about the situation look very out of place. "We are investigating reports of a new tool that captures a Skype user’s last known IP address," a Skype spokesperson said in a statement. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

Yes, the tool is new, but that's not the full story. "By calling it a 'new tool' it means they don't have to respond as urgently," Le Blond said. "It makes it seem like they just found out."

I have contacted Microsoft for more information and will update you if I hear back.

Update at 12:00 PM PST - Microsoft told me that the above is the latest statement and declined to comment further.

See also:

Editorial standards