Researchers from French research institute Inria and the Polytechnic Institute of New York University discovered the flaw, which enables hackers to track IP addresses of Skype users. The researchers said they disclosed the vulnerability to Skype in November 2010, according to a blog by Wall Street Journal reporter Joel Schectman.
Researchers demonstrated that they were able to surreptitiously track the city-level location of 10,000 Skype users for two weeks and told Skype about it. Yet, the researchers found out last week that the vulnerability still had not been patched, according to Schectman, quoting a phone interview between one of the researchers and the CIO Journal.
Skype responded to the revelation by noting that the company was “investigating reports of a new tool” to capture IP addresses.
“By calling it a ‘new tool’ it means they don’t have to respond as urgently. It makes it seem like they just found out”, commented Stevens Le Blond, one of the researchers who found the flaw.
The team discovered they could disguise calls to Skype users, preventing pop-up notifications and call histories that would identify them from appearing on the recipient’s computer or device. The recipients did not know that they had been called and did not have to answer the call in order to be identified, Schectman explained.
After the call, researchers could obtain the user’s IP address from packets of information automatically sent to the caller from the receiving end. By repeating the process every hour, they could map how users moved between cities, he noted.