Microsoft is reportedly dragging its feet on fixing yet another security vulnerability. This time, it’s a flaw in the Skype mobile app that could let hackers obtain your IP address by opening a message with a link — no clicking required, according to a report from 404 Media.
The flaw, which was uncovered by the independent security researcher Yossi, allows hackers to see a user’s general location by having them open a message containing a link. While Yossi told Microsoft about the flaw earlier this month, 404 Media reports that the company only promised to issue a patch after the outlet reached out.
To attest to the severity of the flaw, it doesn’t seem to matter what website the link takes you to. The researcher demonstrated the flaw to 404 Media by having its reporter open links to Google.com and 404media.co. Yossi was able to obtain the reporter’s IP address both times — even when they used a virtual private network (VPN), which is supposed to mask your location.
When Yossi reached out to Microsoft about the issue on August 12th, the company reportedly told the researcher that the “disclosure of an IP address is not considered a security vulnerability on it’s [sic] own,” adding that the flaw “does not meet the definition of a security vulnerability” that would “require immediate servicing.”
When 404 Media contacted Microsoft, the company said it would address the flaw in “a future product update” but didn’t provide an estimated timeline. While 404 Media doesn’t provide specifics on how hackers can exploit the flaw, it states that “it is trivially easy to exploit and involves changing a certain parameter related to the link.”
That means hackers can continue exploiting it until Microsoft decides to fix it, potentially exposing users’ information without their knowledge. The Verge reached out to Microsoft with a request for comment and didn’t immediately hear back.
Since Chinese hackers breached US government emails through Microsoft Azure in July, the company has faced growing criticism for its handling of security vulnerabilities. Earlier this month, Amit Yoran, the CEO of the cybersecurity company Tenable, called out the company’s “blatantly negligent” practices while citing his own example of Microsoft delaying a critical fix spotted by the firm. Microsoft only patched the issue after Yoran’s post was published.
