A vulnerability in Microsoft's Skype mobile app has been identified that allows hackers to obtain a user's IP address without any interaction from the user, other than opening a message containing a link. Notably, the user doesn't need to click on the link for their IP address to be exposed. This flaw was highlighted by a report from 404 Media.
The flaw was discovered by an independent security researcher known as Yossi. He demonstrated the vulnerability by sending a link via Skype's text chat feature. When the recipient opened the message, Yossi was able to retrieve their IP address, even if they were using a virtual private network (VPN) which is typically used to mask one's location.
Upon being informed about the flaw, Microsoft initially downplayed its severity. In correspondence shared with 404 Media, Microsoft stated that the “disclosure of an IP address is not considered a security vulnerability on its own.” However, after 404 Media reached out for a comment, Microsoft acknowledged the issue and promised to address it in a future product update. The timeline for this update remains unspecified.
The vulnerability poses significant risks, especially to activists, journalists, political dissidents, and others who rely on anonymity. An IP address can provide insights into a user's general location, which in less populated areas can be quite revealing. Cooper Quintin, a security researcher at the Electronic Frontier Foundation (EFF), emphasized the potential dangers, stating that the flaw could be used for “physical escalations” and “digital escalations.” He further highlighted the risk to individuals like dissidents operating under pseudonyms, as the flaw could potentially reveal their physical location and identity.
Microsoft ha Not Yet Patched the Flaw
Until Microsoft releases a patch to address this vulnerability, users are advised to exercise caution when using Skype, especially on mobile devices. One way to stay safe is to avoid opening messages from unknown senders. Alternatively, users might consider using other communication platforms that don't have this vulnerability.
Microsoft has been trying to keep Skype relevant amidst increasing competition from Microsoft's own Teams, Google Chat, Zoom, and others. In February, The company brought a new version of Skype to users, and also integrated its popular new Bing Chat chatbot AI into the app.