Risk
5/2/2012
11:49 AM
50%
50%

Skype Bug Divulges IP Addresses

Microsoft investigating feature that lets attacker identify the internal and external IP addresses of anyone who's logged into Skype.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
A previously undisclosed feature in Skype allows any user to discern the external and internal IP addresses of everyone who's currently logged onto Skype.

"Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy," said Nick Furneaux, managing director of computer forensic services provider CSITech, in a blog post.

Knowledge about the vulnerability first surfaced last week in a Pastebin post from Russian hackers. The instructions involve using a patched version of deobfuscated Skype 5.5, and then enabling debug logging by altering a few registry keys. Reviewing the log file will divulge active users, and entering one of those usernames into Skype's "add a contact" feature--but not sending a request to add them as a contact--would then let an attacker click on the name and see their IP address information. Running that information through the whois service, meanwhile, can detail the user's city, country, and service provider.

The Pastebin post also includes a 19-line Perl script that automates the process of searching in the debug log. "I've tested this and it does what it says on the tin," meaning the script works as advertised. "I was able to extract the external and internal IPs of a friend in the U.S. to within a few miles of his house, a buddy in Asia to within a few streets, and my own to just a few miles down the road," said Furneaux.

[ Can the Middle East eavesdrop on Skype? See Skype Protocol Cracked. ]

But the bigger concern is that being able to discern someone's internal and external IP address "provides the basis for a direct probe and then attack of any individual on Skype's global address book," he said.

A related website recently debuted, which automated the Skype username lookup process. But the site, Skype-IP-Finder, was offline Wednesday, apparently due to a service-provider takedown. "This domain and website have been suspended because of abuse or copyright reasons," read a notice posted on the site. Similarly, according to news reports, some Skype users who have tested out the bug--or undocumented feature--have seen their accounts terminated by Skype, which was bought last year by Microsoft.

Furneaux said that any peer-to-peer based service, such as Skype, might--by design--reveal the IP addresses of anyone that a user connects to, for example, while having a conversation or transferring files. "But at least you are in a conversation with a 'known' person," he said. By contrast, the attack technique "can be used by and against anyone with a Skype account, regardless of whether they are a buddy," he said. "I hope that Skype takes a serious look at this, simply proxying contact requests would likely solve it, which wouldn't be awfully hard for them."

Microsoft Tuesday confirmed that it's investigating the bug, which according to The Wall Street Journal might have been detailed to Skype officials as far back as November 2010.

"We are investigating reports of a new tool that captures a Skype user's last known IP address," said Adrian Asher, director of product security at Skype, in a statement. But he likewise warned that the service, by its nature, can reveal details about connected users. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

This isn't the first privacy-related bug to surface on Skype. Last year, academic researchers released a paper, "I Know Where You Are And What You Are Sharing," that detailed techniques for probing Skype users' credentials without their knowledge, providing an attacker knew their target's birthdate and birth name, reported The Register.

"We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user[s] (if the user is currently active)," according to the paper. "In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user's public IP address. Such an attack could be used for many malicious purposes, including observing a person's mobility or linking the identity of a person to his Internet usage."

Using the gleaned information, researchers also were able to correlate BitTorrent downloading activity with Skype accounts, meaning they could positively identity people who were simultaneously using BitTorrent and Skype.

The researchers said the bug could be fixed by not disclosing any IP information until a Skype user accepted an incoming call.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SkiMan01
50%
50%
SkiMan01,
User Rank: Apprentice
5/3/2012 | 3:07:58 PM
re: Skype Bug Divulges IP Addresses
Years ago I had written a routine that was based on my PC server. The server looked like a gateway, even though it was my machine, and any incoming ping would always return an IP address of 127.0.0.1 In that way, any attempt to drop anything on my machine via my IP address dropped on your own hard drive.

Worked very well for all the years I had that old computer.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.