Microsoft is continuing to investigate a report of a vulnerability in Skype that allows someone to ascertain the IP addresses of logged-on users.
News of the situation has circulated widely since information about it was posted last week on Pastebin. The Pastebin post included a script to help automate the exploitation of the issue on a patched version of Skype 5.5. The flaw allows someone to see a Skype user’s vCard—a standard file format for electronic business cards. A look in the log will reveal the Skype user’s IP addresses as well as the internal network card IP address on the user’s computer.
From there, running the IP address information through the WHOIS service can be used to determine a user’s location information. The technique only works if the person being targeted is online.
“We are investigating reports of a new tool that captures a Skype user’s last known IP address,” said Adrian Asher, director of product security at Skype, in a prepared statement. “This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers, and we are takings measures to help protect them.”
Knowledge of this situation is critical for those who use Skype in situations where their location needs to be kept secure, as well as for those just interested in personal privacy, blogged Nick Furneaux, managing director of U.K.-based CSITech.
