Easy-to-exploit Skype vulnerability reveals users’ IP address
A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret.
The vulnerability
The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox.
Vulnerability specifics have not been publicly shared since it has yet to be patched, but Cox says it’s “trivially easy to exploit and involves changing a certain parameter related to the link.”
The vulnerability allows attackers to send a message with a link that will reveal the recipient’s IP address when they open the message. They don’t have to click on the link or do anything else for the attack to work.
While Microsoft initially said that the issue “does not meet the definition of a security vulnerability for servicing which would require immediate servicing”, it later confirmed that it will be addressed it in “a future product update”.
According to Cox, the attack works if the recipient uses the Skype mobile app, but Mac users are safe. Microsoft claims that Skype’s business product – Skype for Business, part of Microsoft Office 365 – is not affected.
The associated risk
This vulnerability may endanger political dissidents, journalists, law enforcement officers, domestic violence victims, and other individuals that want to keep their location secret at all times.
While IP addresses do not reveal a person’s precise location, they can reveal their geographic location (country, city/city area, ZIP code). Combined with other information, this may the final data point required to pinpoint a target’s actual location.
Until Microsoft fixes the issue, users that may be in the crosshairs of determined attackers should refrain from using the Skype mobile app. According to Cox, using a virtual private network (VPN) to connect to Skype will not hide the recipient’s real IP address from the attacker.