Microsoft says it is examining reports of a tool that can be used to view Skype users' IP addresses while they are online. The information can allow eavesdroppers to narrow the location of Skype users to within a few miles or even within a few streets.
Microsoft is continuing to investigate a report of a vulnerability in Skype
that allows someone to ascertain the IP addresses of logged-on users.
News of the situation has circulated widely since information about it was
posted last week on Pastebin. The Pastebin post included a script to help
automate the exploitation of the issue on a patched version of Skype 5.5. The
flaw allows someone to see a Skype user's vCarda standard file format for
electronic business cards. A look in the log will reveal the Skype users IP
addresses as well as the internal network card IP address on the users
From there, running the IP address information through the WHOIS service can
be used to determine a user's location information. The technique only works if
the person being targeted is online.
"We are investigating reports of a new tool that captures a Skype
users last known IP address," said Adrian Asher, director of product
security at Skype, in a prepared statement. "This is an ongoing,
industry-wide issue faced by all peer-to-peer software companies. We are
committed to the safety and security of our customers, and we are takings
measures to help protect them."
Knowledge of this situation is critical for those who use Skype in
situations where their location needs to be kept secure, as well as for those
just interested in personal privacy, blogged Nick Furneaux, managing director
of U.K.-based CSITech.
"I've tested this and it does what it says on the tin, he wrote. I
was able to extract the external and internal IP's of a friend in the U.S. to
within a few miles of his house, a buddy in Asia to within a few streets and my
own to just a few miles down the road. More [disconcertingly] the internal IP
combined with the internet facing address provides the basis for a direct probe
and then attack of any individual on Skype's global address book."
Microsoft, which acquired Skype last year, declined to discuss the issue any
further. However, reports have surfaced that
researchers had reported to Skype back in late 2010 that it was possible to
ascertain the IP address of Skype users. The researchers
published a paper detailing their findings in 2011. However, their findings
"By calling it a new tool it means they dont have to respond as
urgently," Stevens Le Blond, one of the researchers who wrote the paper,
was quoted as saying by the Wall Street Journal. "It makes it seem like
they just found out."