It’s uncertain at this point who found the vulnerability, but it appears that it first surfaced on Pastebin, later being picked up by the Skype-Open-Source blog.
The proof of concept is fairly simple. All an attacker needs to do is download a special Skype variant and alter a few registry keys to enable debug-log file creation.
When adding a Skype contact, before sending the actual request, the victim’s information card can be viewed. At this point, the log file records the user’s IP address.
As many may be aware, the IP address embeds valuable information regarding a user’s location, including country, city and the name of the Internet service provider he/she utilizes.
Microsoft was notified on the issue and the company is currently working on a fix.
“We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them,” Adrian Asher, director of product security for Skype told Neowin.
Ever since Microsoft took over Skype, the communications app has evolved a great deal. The Redmond company has already made it available on Play Station Vita, being determined to also add it to Xbox.
However, in the past period, security experts highlighted a number of vulnerabilities that affected not only Skype websites, but also the application itself.
First, on February 17, we learned that Vulnerability Lab researchers identified a high risk memory corruption issue that could have allowed an attacker to remotely crash a computer.
More recently, at the end of March, the same team of experts discovered a number of high-risk flaws, including a pointer corruption problem and a persistent weakness vector.