Microsoft Slow to Address Security Vulnerability in Skype Mobile App
Microsoft is purportedly delaying the patching of yet another security flaw. According to 404 Media, this time it’s a hole in the Skype mobile app that might allow hackers to access your IP address simply by opening a message with a link – no clicking required.
The issue, discovered by independent security researcher Yossi, allows hackers to determine a user’s general location by instructing them to open a message containing a link. While Yossi reported the weakness to Microsoft earlier this month, 404 Media reports that the corporation only offered to deliver a patch after the publication contacted them.
To demonstrate the seriousness of the problem, it doesn’t appear to matter whatever website the link leads to. The researcher showed 404 Media the issue by having its reporter access links to Google.com and 404media.co. Yossi was able to discover the reporter’s IP address both times – even when they were using a VPN, which is supposed to hide your location.
When Yossi contacted Microsoft about the issue on August 12th, the company reportedly told him that “disclosure of an IP address is not considered a security vulnerability on its [sic] own,” and that the flaw “does not meet the definition of a security vulnerability” that would “require immediate servicing. Source : (https://www.theverge.com)”
When 404 Media contacted Microsoft, the corporation stated that the flaw would be addressed in “a future product update,” but provided no deadline. While 404 Media does not go into detail about how hackers might exploit the issue, it does say that “it is trivially easy to exploit and involves changing a certain parameter related to the link.”
That means hackers can continue to exploit it until Microsoft fixes it, possibly exposing users’ personal information without their knowledge.
Since Chinese hackers stole US government emails using Microsoft Azure in July, the corporation has come under fire for how it handles security issues. Tenable’s CEO, Amit Yoran, called out the company’s “blatantly negligent” practices earlier this month, citing his own example of Microsoft delaying a vital remedy discovered by the firm. Microsoft only fixed the problem after Yoran’s blog article was published.
Keywords: Microsoft, cybersecurity, Skype