Sign up to our newsletter
Over five years ago, in November 2010, security researchers found a serious privacy vulnerability in Skype that could allow hackers to surreptitiously scoop up sensitive information about users, including victims’ IP addresses and revealing their city-level location.
The researchers who found the flaw were part of the French research institute Inria and the Polytechnic Institute of New York University, and chose to keep their findings out of the public eye, only sharing them with Microsoft-owned Skype.
However, in May 2012, a year and a half after being informed about the flaw, news of the still unpatched vulnerability hit the headlines after a web-based tool was published that helped hackers identify the last known IP address of a Skype user.
You might like to imagine that stirred by the news going public Microsoft stopped resting on its laurels and moved quickly to fix the problem.
Because it then took another 44 months (or over five years since the issue was initially raised with Skype) for the problem to get fixed.
Skype last week blogged that in its latest version IP addresses would finally be hidden by default:
Starting with this update to Skype and moving forward, your IP address will be kept hidden from Skype users. This measure will help prevent individuals from obtaining a Skype ID and resolving to an IP address.
An IP address is an important piece of information that can be used to track your approximate location and your service provider. But the information is not always necessarily accurate, as you could be using a VPN, which might make it appear that you are based in a different country from the one where you are really located.
All the same, unfortunately most people do not use VPNs, and IP information could help vengeful gamers launch denial-of-service attacks and (even scarier) potentially help provide pranksters with the information they needed to trick armed police SWAT teams into raiding a property.
Skype itself is clearly aware that the gaming community is particularly impacted by IP addresses being shared, as it entitled its blog post “To our gamers: IP will now be hidden by default in latest update”.
Of course, Skype no longer sharing users’ IP address by default doesn’t mean we won’t see any more SWATting or DDoS attacks against streaming gamers, but anything which allows internet users to retain a higher degree of privacy about their physical location has to be a good thing.
I just wish that Microsoft-owned Skype had been a little quicker about fixing a privacy hole that they have known about for over five years. If you’re not sure if you’re running the latest version of Skype, go to Help > Check for Updates now.
Author Graham Cluley, We Live Security