Researchers: Skype Ignored Location-Tracking Vulnerability for More Than a Year

Skype learned more than a year ago about a privacy vulnerability that would allow someone to identify the IP address and possibly the geographic location of a user, but left it unfixed, according to researchers who say they notified the company in 2010.

Stevens Le Blond, a former researcher at the polytechnic institute Inria in France, who now works at the Max Planck Institute for Software Systems, told the CIO Journal that he and fellow researchers at the Polytechnic Institute of New York University disclosed the vulnerability to Skype in November 2010 and published the information in October 2011. Therefore they were surprised to find that the vulnerability was still unfixed last week after someone posted a script online showing Skype being exploited to uncover the local and remote IP addresses for users.

When asked about the researchers’ disclosure, Skype, which is owned by Microsoft, repeated only what Skype had told reporters last week when a different exploit also exposing IP addresses was published. Adrian Asher, director of product security for Skype, said at the time that Skype was “investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies.”

“By calling it a ‘new tool’ it means they don’t have to respond as urgently,” Le Blond told the Journal. “It makes it seem like they just found out.”

The researchers found that they were able to uncover the IP address of Skype users, and their city location, by conducting a masked call to a user. The call could be made in a way that would prevent a notification from popping up on the user’s screen and prevent the call from appearing in a user’s call history.

Once the call was made, the researchers obtained the IP address from information that Skype automatically sends to the caller. By repeating a call every hour, they could actually map a user’s movement to determine if they moved between cities. In this way, they surreptitiously tracked the city-level location of 10,000 Skype users for two weeks.

They decided to check if the vulnerability had been fixed after someone released information anonymously on Pastebin last week that showed how to exploit a patched version of Skype 5.5 to obtain an IP address in a different manner that doesn’t require a masked call.

The technique involves enabling debug logging, doing a search on active users as if to add them as a contact, and then viewing their vcard, or contact information card, which will generate an IP address in the logs. Using IP address research tools, someone could then track the location of the IP address to a city.

Keith Ross, one of the researchers who notified Skype in 2010, told the CIO Journal that Skype had likely not fixed the problem because it may be “deeply embedded in the code” and require “heavy restructuring” to resolve.