Microsoft is facing criticism once again for allegedly not addressing a security vulnerability in its Skype mobile app. According to a report from 404 Media, opening a message with a link in Skype can allow hackers to obtain the user’s IP address without the need for clicking on the link.
The flaw was discovered by independent security researcher Yossi, who informed Microsoft about it earlier this month. However, 404 Media reports that the company only promised to issue a patch after being contacted by the media outlet. This delay in addressing the issue has raised concerns about the security of Skype users.
What makes this vulnerability particularly severe is that it doesn’t matter which website the link takes the user to. Yossi demonstrated the flaw by having a reporter from 404 Media open links to Google.com and 404media.co. In both cases, Yossi was able to obtain the reporter’s IP address, even when they were using a virtual private network (VPN) designed to conceal their location.
When Yossi initially contacted Microsoft about the issue on August 12th, the company reportedly dismissed it as not meeting the definition of a security vulnerability. Microsoft stated that the disclosure of an IP address is not considered a security vulnerability on its own and does not require immediate servicing. This response by Microsoft raises questions about its understanding of the severity of the issue.
When 404 Media reached out to Microsoft for comment, the company acknowledged the flaw and stated that it would be addressed in a future product update. However, no estimated timeline for the fix was provided. While 404 Media doesn’t provide specific details on how hackers can exploit the flaw, they mention that it is “trivially easy to exploit” and involves changing a certain parameter related to the link.
The lack of urgency in addressing this vulnerability means that hackers can continue to exploit it, potentially compromising users’ information without their knowledge. The Verge also contacted Microsoft for comment but did not receive an immediate response.
This is not the first time Microsoft has been criticized for its handling of security vulnerabilities. In July, Chinese hackers breached US government emails through Microsoft Azure, leading to increased scrutiny of the company’s security practices. Amit Yoran, the CEO of cybersecurity company Tenable, called out Microsoft for being “blatantly negligent” in its practices and shared an example of the company delaying a critical fix identified by Tenable. Microsoft only patched the issue after Yoran’s public criticism.
These incidents highlight the need for tech companies to prioritize security and promptly address vulnerabilities. Users rely on companies like Microsoft to protect their data and ensure the safety of their communications. Delaying fixes for security flaws can leave users exposed to potential attacks and breaches.
As technology continues to advance, the importance of robust security practices cannot be overstated. Companies must invest in comprehensive security measures and address vulnerabilities promptly to protect users and maintain their trust. It is crucial for Microsoft to take immediate action to fix the reported security flaw in the Skype mobile app to ensure the safety and privacy of its users.