Microsoft is continuing to investigate a report of a vulnerability in Skype that allows someone to ascertain the IP addresses of logged-on users.
News of the situation has circulated widely since information about it was posted last week on Pastebin. The Pastebin post included a script to help automate the exploitation of the issue on a patched version of Skype 5.5. The flaw allows someone to see a Skype user’s vCarda standard file format for electronic business cards. A look in the log will reveal the Skype users IP addresses as well as the internal network card IP address on the users computer.
From there, running the IP address information through the WHOIS service can be used to determine a user’s location information. The technique only works if the person being targeted is online.
“We are investigating reports of a new tool that captures a Skype users last known IP address,” said Adrian Asher, director of product security at Skype, in a prepared statement. “This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers, and we are takings measures to help protect them.”
Knowledge of this situation is critical for those who use Skype in situations where their location needs to be kept secure, as well as for those just interested in personal privacy, blogged Nick Furneaux, managing director of U.K.-based CSITech.
“I’ve tested this and it does what it says on the tin, he wrote. I was able to extract the external and internal IP’s of a friend in the U.S. to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road. More [disconcertingly] the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype’s global address book.”
Microsoft, which acquired Skype last year, declined to discuss the issue any further. However, reports have surfaced thatresearchers had reported to Skype back in late 2010 that it was possible to ascertain the IP address of Skype users. The researchers published a paper detailing their findings in 2011. However, their findings went unresolved.
“By calling it a new tool it means they dont have to respond as urgently,” Stevens Le Blond, one of the researchers who wrote the paper, was quoted as saying by the Wall Street Journal. “It makes it seem like they just found out.”