And no, not because Microsoft now owns them. Fast Company is reporting that a group of university researchers has found some previously undetected and very serious security flaws.
The research shows that even when Skype users block callers, allow only calls from their contact list, and connect from behind a firewall, hackers can plumb their identities. The researchers confirmed that intruders can use Skype to discover which files call recipients are sharing, and track their whereabouts, too. The information can be collected without the Skype user even knowing that he or she has been contacted (and is at risk of exploitation).
… a malicious caller can obtain a callee’s IP address by initiating a Skype call, blocking certain functions, and then quickly terminating the call without ringing or causing an alert window to pop up. The caller can then input the IP address into commercial geo-IP mapping software to determine where the receiver is and what Internet service provider he or she uses.
Such an attack can occur whether or not the receiver is on the caller’s contact list or even when the receiver has checked the box to block calls from non-contacts, because Skype is typically running whenever a computer is on. Strangers can call and the callee just doesn’t answer. It’s like a phone that doesn’t ring. The receiver is secure only in that he or she is not alerted to the call and so won’t answer, but Skype still allows the exchange of packets of information. By repeating the process over weeks or months, the intruder can track the movements of any Skype user, unbeknownst to him or her and construct a detailed account of their daily activities.
The researchers say that redesigning the Skype protocol so that users’ IP addresses are revealed only if they accept a call would offer substantially greater privacy and security. An even stronger defense would be to use a relay, so that a sent packet must pass through an intermediate computer that Skype owns and then is re-sent to users. That way, they would only see Skype’s address, not the address of the party they’re connecting to, Ross says. That would require a major change in design, testing, and redistribution of software to all users, which could take years to implement, he noted.
Unlike, say Facebook, the hacker does not have to be on your friend list in order to track you, he merely has to have your Skype ID. Other internet chat services, such as MSN Live, QQ and Google Talk may also have the same flaw, but the researchers have only confirmed this with Skype. FC says that these researchers first notified Skype of these findings in November 2010. One year later, the issue has not been resolved.