Skype Knew of Security Flaw Since November 2010, Researchers say - Wall Street Journal
- Joel Schectman for Wall Street Journal May 1st, 2012
- Source: http://blogs.wsj.com/cio/2012/05/01/skype-knew-of-security-flaw-since-november-2010-researchers-say/
Skype was told a year and a half ago about a security flaw that allows for the location tracking of customers, but left it unfixed, the security researchers who first discovered the vulnerability told CIO Journal.
The flaw, which allows hackers to secretly track IP addresses, should be of interest to CIOs. Skype, which is now owned by Microsoft, said last year about 37% of its 663 million community members use the “Skype product platform occasionally or often for business-related purposes.”
While the Internet voice and video calling application is not widely supported by corporations, many CIOs are under increasing pressure to allow such consumer technology into the company. The inability of Skype to fix the flaw may give some CIOs pause.
Researchers from Inria, a research institute in France, and the Polytechnic Institute of New York University, shared their original findings on the Skype vulnerability in November 2010, the team’s leader Stevens Le Blond told CIO Journal in a phone call on Tuesday. Their research, which was published in October 2011, showed the team was able to surreptitiously track the city-level location of 10,000 Skype users for two weeks. Last week, Le Blond re-tested his research and found Skype still had not fixed the vulnerability, he said.
When asked about the security flaw, Skype sent CIO Journal a statement stating the company was “investigating reports of a new tool,” used to capture IP addresses. Skype and Microsoft declined to comment further.
“By calling it a ‘new tool’ it means they don’t have to respond as urgently,” Le Blond said. “It makes it seem like they just found out.”
The team discovered they could mask brief calls to Skype users, preventing pop-up notifications and call histories that would identify them from appearing on the recipient’s computer or device. The recipients didn’t know that they had been called, and didn’t have to answer the call in order to be identified.