The IP-revealing security flaw in Skype's systems that emerged late last month was discovered in 2010 according to Stevens Le Blond, one of the researchers behind the exploit from French institute INRIA. Le Blond told the Wall Street Journal that the team first discovered the flaw in November 2010, and was able to track the city-level location of more than 10,000 Skype users over a period of two weeks. Despite the fact that the research was published more than six months ago Skype has still not patched the vulnerability, with code uploaded to GitHub a week ago bringing the exploit to the attention of the public.
Le Blond also takes issue with the statement released by Skype in response to the flaw. "By calling it a ‘new tool’ it means they don’t have to respond as urgently," he said, adding "it makes it seem like they just found out." It seems that Microsoft has begun to take the issue a little more seriously, though, turning to hosted supernodes rather than the distributed P2P structure that it normally uses in an effort to tighten its network security. The Skype-IP-Finder site has also been taken down for "abuse or copyright reasons," while a warning on the GitHub page says that Skype will ban anyone who uses the cracked SkypeKit.
Le Blond speculates that Skype's hesitance to fully patch the exploit might be down to concerns over causing other knock-on issues in the network, and that the hole might be deep-seated in Skype's code. By changing something that low level, he said that "you can introduce new bugs and problems." Now that the flaw has gone public, and gained a large amount of media attention in the process, we'd expect to see Microsoft address the vulnerability shortly.