Risk
5/2/2012
11:49 AM
Connect Directly
RSS
E-Mail
50%
50%

Skype Bug Divulges IP Addresses

Microsoft investigating feature that lets attacker identify the internal and external IP addresses of anyone who's logged into Skype.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
A previously undisclosed feature in Skype allows any user to discern the external and internal IP addresses of everyone who's currently logged onto Skype.

"Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy," said Nick Furneaux, managing director of computer forensic services provider CSITech, in a blog post.

Knowledge about the vulnerability first surfaced last week in a Pastebin post from Russian hackers. The instructions involve using a patched version of deobfuscated Skype 5.5, and then enabling debug logging by altering a few registry keys. Reviewing the log file will divulge active users, and entering one of those usernames into Skype's "add a contact" feature--but not sending a request to add them as a contact--would then let an attacker click on the name and see their IP address information. Running that information through the whois service, meanwhile, can detail the user's city, country, and service provider.

The Pastebin post also includes a 19-line Perl script that automates the process of searching in the debug log. "I've tested this and it does what it says on the tin," meaning the script works as advertised. "I was able to extract the external and internal IPs of a friend in the U.S. to within a few miles of his house, a buddy in Asia to within a few streets, and my own to just a few miles down the road," said Furneaux.

[ Can the Middle East eavesdrop on Skype? See Skype Protocol Cracked. ]

But the bigger concern is that being able to discern someone's internal and external IP address "provides the basis for a direct probe and then attack of any individual on Skype's global address book," he said.

A related website recently debuted, which automated the Skype username lookup process. But the site, Skype-IP-Finder, was offline Wednesday, apparently due to a service-provider takedown. "This domain and website have been suspended because of abuse or copyright reasons," read a notice posted on the site. Similarly, according to news reports, some Skype users who have tested out the bug--or undocumented feature--have seen their accounts terminated by Skype, which was bought last year by Microsoft.

Furneaux said that any peer-to-peer based service, such as Skype, might--by design--reveal the IP addresses of anyone that a user connects to, for example, while having a conversation or transferring files. "But at least you are in a conversation with a 'known' person," he said. By contrast, the attack technique "can be used by and against anyone with a Skype account, regardless of whether they are a buddy," he said. "I hope that Skype takes a serious look at this, simply proxying contact requests would likely solve it, which wouldn't be awfully hard for them."

Microsoft Tuesday confirmed that it's investigating the bug, which according to The Wall Street Journal might have been detailed to Skype officials as far back as November 2010.

"We are investigating reports of a new tool that captures a Skype user's last known IP address," said Adrian Asher, director of product security at Skype, in a statement. But he likewise warned that the service, by its nature, can reveal details about connected users. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

This isn't the first privacy-related bug to surface on Skype. Last year, academic researchers released a paper, "I Know Where You Are And What You Are Sharing," that detailed techniques for probing Skype users' credentials without their knowledge, providing an attacker knew their target's birthdate and birth name, reported The Register.

"We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user[s] (if the user is currently active)," according to the paper. "In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user's public IP address. Such an attack could be used for many malicious purposes, including observing a person's mobility or linking the identity of a person to his Internet usage."

Using the gleaned information, researchers also were able to correlate BitTorrent downloading activity with Skype accounts, meaning they could positively identity people who were simultaneously using BitTorrent and Skype.

The researchers said the bug could be fixed by not disclosing any IP information until a Skype user accepted an incoming call.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SkiMan01
50%
50%
SkiMan01,
User Rank: Apprentice
5/3/2012 | 3:07:58 PM
re: Skype Bug Divulges IP Addresses
Years ago I had written a routine that was based on my PC server. The server looked like a gateway, even though it was my machine, and any incoming ping would always return an IP address of 127.0.0.1 In that way, any attempt to drop anything on my machine via my IP address dropped on your own hard drive.

Worked very well for all the years I had that old computer.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.