A new report claims that there is a serious flaw in Microsoft's Skype chat mobile apps that could allow a hacker to detect a user's IP address. The flaw is reportedly enabled just by sending a link through Skype's text message feature, and the link does not have to be clicked on for the IP address to be revealed.
The new flaw, as reported by 404Media.co, was first discovered by an independent security researcher who goes by the handle "Yossi". The article describes how this issue worked:
To start, Yossi sent me a link via Skype text chat to google.com. The link was to the real Google site, and not an imposter. I then opened Skype on an iPad and viewed the chat message. I didn’t even click the link. But very soon after, Yossi pasted my IP address into the chat. It was correct.
The article adds that this issue only affects Skype's mobile apps and does not appear to work on Skype on the desktop. Details about how this issue works on the hacker side were not revealed for security reasons, but the article claims the flaw is "trivially easy to exploit and involves changing a certain parameter related to the link."
Yossi sent over his info about the flaw to Microsoft. The company's initial response to Yossi was that the IP address exposure in Skype "does not meet the definition of a security vulnerability for servicing which would require immediate servicing."
However, when 404media.com asked Microsoft for comment, the company did state that while this issue with Skype was not an immediate security issue based just on the IP address exposure, "we will be addressing it in a future product update as a defense in depth improvement to help keep customers protected." As of this writing, Microsoft has yet to fix this problem.
7 Comments - Add comment