Microsoft Probes Skype IP Vulnerability Reports

Skype may not be quite as secure as first thought after it emerged that Microsoft is continuing to investigate reports of a tool that allows someone to ascertain the IP addresses of logged-on Skype users.

News of the situation has circulated widely since information about it was posted on last week on Pastebin.

IP Address

The Pastebin post included a script to help automate the exploitation of the issue on a patched version of Skype 5.5. The flaw allows someone to see a Skype user’s vCard–a standard file format for electronic business cards. A look in the log will reveal the Skype user’s IP addresses as well as the internal network card IP address on the user’s computer.

From there, running the IP address information through the WHOIS service can be used to determine a user’s location information. The technique only works if the person being targeted is online.

“We are investigating reports of a new tool that captures a Skype user’s last known IP address,” says Adrian Asher, director of product security at Skype, in a prepared statement. “This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”

Knowledge of this situation is critical for those who use Skype in situations where their location needs to be kept secure, as well as for those just interested in personal privacy, blogged Nick Furneaux, managing director of UK-based CSITech.

“I’ve tested this and it does what it says on the tin,” he wrote. “I was able to extract the external and internal IP’s of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road. More [disconcertingly] the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype’s global address book.”

Ongoing Issue?

Microsoft, which acquired Skype last year, declined to discuss the issue any further.

However reports have surfaced that researchers had reported to Skype back in late 2010 that it was possible to ascertain the IP address of Skype users. The researchers published a paper detailing their findings in 2011. However, their findings went unresolved.

“By calling it a ‘new tool’ it means they don’t have to respond as urgently,” Stevens Le Blond, one of the researchers who wrote the paper, was quoted as saying by the Wall Street Journal. “It makes it seem like they just found out.”

Think you know security? Test yourself with our quiz.