Unfixed Skype Bug Reveals Users' Locations, Downloads

Microsoft admits that months after the discovery it is still working to fix a Skype vulnerability that could reveal a user’s location and download habits. As of Jan. 12, the vulnerability remained and Microsoft, which owns Skype, offered no timetable for a fix.

‘We are developing a solution to this issue in peer-to-peer networks,” says Dave Forstrom, director at
Microsoft’s Trustworthy Computing Group.
‘Our highest priority is protecting our customers and we continue to monitor the security landscape.’
The flaw, which was discovered last year and has been public knowledge since October, “could potentially disclose the identities, locations and even digital files of the hundreds of millions of users of these systems,” according to a team of researchers from the United States, France and Germany.
Basically, Skype will reveal the IP address of a called party before the call is connected, allowing the data to be used to identify the user. Commercial geo-location services can then place the user’s location on a map and BitTorrent will reveal downloads, as will other sites.
The research teams says a ‘sophisticated high school-age hacker’ might use the IP addresses revealed by Skype to track users and some of their habits.
Skype is reportedly the world’s largest provider of international calling services, with 170 million regular users who together place an estimated 20 percent of all international telephone calls.
To demonstrate the potential severity of these security vulnerabilities, the researchers tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period, using techniques that neither harmed nor disrupted the service, utilized any requests for which the service was not designed nor interfered with users. User data was anonymized for protection.

What Can Skype Users Do?
Not much, although Keith Ross, the NYU-Poly professor who led the research, told The New York Times that not using your real name or something like it as your Skype user name offers some protection to being tracked, since it makes it harder to link the IP address to a specific person.
He also suggested users leave Skype turned off except when they are placing or receiving a call. This, however, would make Skype much less useful as a telephone replacement for many of its users.