A Skype app vulnerability could expose your IP address to hackers — and Microsoft has yet to fix it

Share via:

Photo by Amelia Holowaty Krales / The Verge

Microsoft is reportedly dragging its feet on fixing yet another security vulnerability. This time, it’s a flaw in the Skype mobile app that could let hackers obtain your IP address by opening a message with a link — no clicking required, according to a report from 404 Media.

The flaw, which was uncovered by the independent security researcher Yossi, allows hackers to see a user’s general location by having them open a message containing a link. While Yossi told Microsoft about the flaw earlier this month, 404 Media reports that the company only promised to issue a patch after the outlet reached out.

To attest to the severity of the flaw, it doesn’t seem to matter what website the link takes you to. The researcher demonstrated the flaw to 404 Media by having its reporter open links to Google.com and 404media.co. Yossi was able to obtain the reporter’s IP address both times — even when they used a virtual private network (VPN), which is supposed to mask your location.

When Yossi reached out to Microsoft about the issue on August 12th, the company reportedly told the researcher that the “disclosure of an IP address is not considered a security vulnerability on it’s [sic] own,” adding that the flaw “does not meet the definition of a security vulnerability” that would “require immediate servicing.”

When 404 Media contacted Microsoft, the company said it would address the flaw in “a future product update” but didn’t provide an estimated timeline. While 404 Media doesn’t provide specifics on how hackers can exploit the flaw, it states that “it is trivially easy to exploit and involves changing a certain parameter related to the link.”

That means hackers can continue exploiting it until Microsoft decides to fix it, potentially exposing users’ information without their knowledge. The Verge reached out to Microsoft with a request for comment and didn’t immediately hear back.

Since Chinese hackers breached US government emails through Microsoft Azure in July, the company has faced growing criticism for its handling of security vulnerabilities. Earlier this month, Amit Yoran, the CEO of the cybersecurity company Tenable, called out the company’s “blatantly negligent” practices while citing his own example of Microsoft delaying a critical fix spotted by the firm. Microsoft only patched the issue after Yoran’s post was published.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Sarthak Luthra
Sarthak Luthra
Hey, there! I am the tech guy. I get things running around here and I post sometimes. ~ naam toh suna hi hoga, ab kaam bhi dekhlo :-)

Popular

More Like this

A Skype app vulnerability could expose your IP address to hackers — and Microsoft has yet to fix it

Photo by Amelia Holowaty Krales / The Verge

Microsoft is reportedly dragging its feet on fixing yet another security vulnerability. This time, it’s a flaw in the Skype mobile app that could let hackers obtain your IP address by opening a message with a link — no clicking required, according to a report from 404 Media.

The flaw, which was uncovered by the independent security researcher Yossi, allows hackers to see a user’s general location by having them open a message containing a link. While Yossi told Microsoft about the flaw earlier this month, 404 Media reports that the company only promised to issue a patch after the outlet reached out.

To attest to the severity of the flaw, it doesn’t seem to matter what website the link takes you to. The researcher demonstrated the flaw to 404 Media by having its reporter open links to Google.com and 404media.co. Yossi was able to obtain the reporter’s IP address both times — even when they used a virtual private network (VPN), which is supposed to mask your location.

When Yossi reached out to Microsoft about the issue on August 12th, the company reportedly told the researcher that the “disclosure of an IP address is not considered a security vulnerability on it’s [sic] own,” adding that the flaw “does not meet the definition of a security vulnerability” that would “require immediate servicing.”

When 404 Media contacted Microsoft, the company said it would address the flaw in “a future product update” but didn’t provide an estimated timeline. While 404 Media doesn’t provide specifics on how hackers can exploit the flaw, it states that “it is trivially easy to exploit and involves changing a certain parameter related to the link.”

That means hackers can continue exploiting it until Microsoft decides to fix it, potentially exposing users’ information without their knowledge. The Verge reached out to Microsoft with a request for comment and didn’t immediately hear back.

Since Chinese hackers breached US government emails through Microsoft Azure in July, the company has faced growing criticism for its handling of security vulnerabilities. Earlier this month, Amit Yoran, the CEO of the cybersecurity company Tenable, called out the company’s “blatantly negligent” practices while citing his own example of Microsoft delaying a critical fix spotted by the firm. Microsoft only patched the issue after Yoran’s post was published.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

Sarthak Luthra
Sarthak Luthra
Hey, there! I am the tech guy. I get things running around here and I post sometimes. ~ naam toh suna hi hoga, ab kaam bhi dekhlo :-)

More like this

Brahmaputra Valley Film Festival Unveils Exciting Lineup for its...

Guwahati (Assam) , November 22: The 9th edition...

Former Flipkart Executives’ Startup Arzooo Sells Assets In Distress...

B2B retail tech startup Arzooo, floated by former Flipkart...

Centre To Roll Out Legal Framework To Ensure Data...

SUMMARY Commerce and industry minister Piyush Goyal has reportedly...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!