Be careful what messages you read in Skype—at least when you’re on your smartphone. A flaw in the mobile app can reveal your IP address to another person unbeknownst to you. All it takes is opening a message with a link in it. And Microsoft is apparently not prioritizing this issue as a security vulnerability.
Unfortunately, you don’t have to click the link for your location to be revealed, according to a 404 Media report. Using a VPN, which is supposed to hide your actual IP address, won’t protect you from this flaw either. And, to make matters worse, any legitimate URL can be used. As discovered by Yossi, the independent researcher who discovered the issue, the exploit only requires a change to a link parameter. Typically, chat apps act as a buffer between individuals on the platform. The service knows each person’s location, but doesn’t share it while facilitating communication.
Further details about how the vulnerability works aren’t yet available—404 Media is currently withholding them, as Microsoft has yet to patch the flaw. Currently the update’s release date is unknown (“a future product update”), though Microsoft says the business version of Skype is not affected. 404 Media says that a fix was not announced until the outlet reached out for comment.
But though the flaw may not be a high priority for Microsoft—the company reportedly classified it as failing to meet the definition of a security vulnerability when Yossi first shared his findings—this privacy issue is still problematic for security. As pointed out by a different security researcher contacted by 404 Media, an IP address can be used to enable physical or digital harassment. Anyone who has an interest in you could use Skype to make that task easier. For dangerous situations, like a stalker hunting down their victim, an abuser tracking a partner who’s left, or someone working to uncover an anonymous journalist or dissident, this Skype flaw can make those attempts easier. An IP address can be used to help confirm other data about your location or refine an ongoing search.
So, how do you stay safe? The easiest solution is to not use Skype since plenty of other popular alternatives exist. But if that’s not an option, be careful about what messages you view until a patch is released. That’s not an ideal solution, but it’s the only one available at the moment.