Security researcher Yossi has discovered that threat actors could find a target's IP address by sending it a specially crafted link via Skype's mobile app. According to the researcher, the victim need only to open the message for the attack to succeed.
The implications of perpetrators learning their target's IP address in such a simple manner are huge. A criminal could exploit the IP address further to reveal additional details about a target or even weaponize it and use it in various attacks.
As 404 Media reported, Yossi informed Microsoft of the issue earlier this month. The company reportedly downplayed it, stating that the "disclosure of an IP address is not considered a security vulnerability on it's [sic] own."
After 404 Media asked Microsoft to comment on the situation, the company said it was taking steps to "fix the issue in an upcoming patch."
Cybersecurity reporter Joseph Cox tested Yossi's attack; he connected to a VPN and opened the Skype app on an iPad. Yossi sent his "victim" a link to Google, and after viewing the message, the target's IP address was leaked to the attacker.
A second test followed, with Cox connecting to a public Wi-Fi network without a VPN; again, his IP address leaked to Yossi, pinpointing the specific area of the city he was chatting from.
The issue only seems to affect mobile versions of Skype, as Yossi was unable to learn the recipient's IP address after switching to a Mac version.
The flaw is still unpatched, and 404 Media offers no additional details about it other than that it "involves changing a certain parameter related to the link."