The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user's consent.
"Even when a user blocks callers or connects from behind a Network Address Translation (NAT) -- a common type of firewall -- it does not prevent the privacy risk," according to a release from NYU-Poly.
The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user's location and Internet Service Provider (ISP).
The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person's IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.
This has always made me wonder why these programs have their own security policies. Can't it be possible for products such as skype, which millions of people use to connect to friends and family globaly, to work with dedicated secuirty software to stop any unwanted threats. For instance, both Xbox Live and the Playstation online network have been hit by fraudsters this year and stolen millions from unsuspecting users. So wouldn't working together be benificial for all parties, if the technology is already there why develop your own inferior product?