Microsoft Probes Skype IP Vulnerability Reports

Skype may not be quite as secure as first thought after it emerged that Microsoft is continuing to investigate reports of a tool that allows someone to ascertain the IP addresses of logged-on Skype users.

News of the situation has circulated widely since information about it was posted on last week on Pastebin.

IP Address

The Pastebin post included a script to help automate the exploitation of the issue on a patched version of Skype 5.5. The flaw allows someone to see a Skype user’s vCard–a standard file format for electronic business cards. A look in the log will reveal the Skype user’s IP addresses as well as the internal network card IP address on the user’s computer.

From there, running the IP address information through the WHOIS service can be used to determine a user’s location information. The technique only works if the person being targeted is online.

“We are investigating reports of a new tool that captures a Skype user’s last known IP address,” says Adrian Asher, director of product security at Skype, in a prepared statement. “This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”

Knowledge of this situation is critical for those who use Skype in situations where their location needs to be kept secure, as well as for those just interested in personal privacy, blogged Nick Furneaux, managing director of UK-based CSITech.

“I’ve tested this and it does what it says on the tin,” he wrote. “I was able to extract the external and internal IP’s of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road. More [disconcertingly] the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype’s global address book.”

Ongoing Issue?

Microsoft, which acquired Skype last year, declined to discuss the issue any further.

However reports have surfaced that researchers had reported to Skype back in late 2010 that it was possible to ascertain the IP address of Skype users. The researchers published a paper detailing their findings in 2011. However, their findings went unresolved.

“By calling it a ‘new tool’ it means they don’t have to respond as urgently,” Stevens Le Blond, one of the researchers who wrote the paper, was quoted as saying by the Wall Street Journal. “It makes it seem like they just found out.”

Think you know security? Test yourself with our quiz.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Blue Origin Aborts Test Flight Minutes Before Launch

Jeff Bezos' Blue Origin cancels New Glenn certification flight at last minute due to unspecified…

4 hours ago

Government Aims To Make UK AI ‘Superpower’

Government to loosen AI regulation, exploit public-sector data, build data centres in growth zones as…

9 hours ago

Brazil Demands Clarity After Meta Ends Fact-Checking

Brazil demands specifics on how new Meta stance on misinformation will apply to country amidst…

17 hours ago

US Executive Order Aims To Shore Up Cyber-Defences

Order from outgoing Joe Biden administration aims to respond to multiple hacks by China targeting…

17 hours ago

Amazon, Meta End Diversity Initiatives

Amazon, Meta end diversity and inclusion initiatives as tech firms re-align policies with those of…

18 hours ago

TSMC Cuts Off Singapore Company Amidst Huawei Fallout

TSMC cuts off Singapore-based PowerAIR as it investigates chip it produced appearing in AI accelerator…

18 hours ago