Risk
5/2/2012
11:49 AM
50%
50%

Skype Bug Divulges IP Addresses

Microsoft investigating feature that lets attacker identify the internal and external IP addresses of anyone who's logged into Skype.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
A previously undisclosed feature in Skype allows any user to discern the external and internal IP addresses of everyone who's currently logged onto Skype.

"Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy," said Nick Furneaux, managing director of computer forensic services provider CSITech, in a blog post.

Knowledge about the vulnerability first surfaced last week in a Pastebin post from Russian hackers. The instructions involve using a patched version of deobfuscated Skype 5.5, and then enabling debug logging by altering a few registry keys. Reviewing the log file will divulge active users, and entering one of those usernames into Skype's "add a contact" feature--but not sending a request to add them as a contact--would then let an attacker click on the name and see their IP address information. Running that information through the whois service, meanwhile, can detail the user's city, country, and service provider.

The Pastebin post also includes a 19-line Perl script that automates the process of searching in the debug log. "I've tested this and it does what it says on the tin," meaning the script works as advertised. "I was able to extract the external and internal IPs of a friend in the U.S. to within a few miles of his house, a buddy in Asia to within a few streets, and my own to just a few miles down the road," said Furneaux.

[ Can the Middle East eavesdrop on Skype? See Skype Protocol Cracked. ]

But the bigger concern is that being able to discern someone's internal and external IP address "provides the basis for a direct probe and then attack of any individual on Skype's global address book," he said.

A related website recently debuted, which automated the Skype username lookup process. But the site, Skype-IP-Finder, was offline Wednesday, apparently due to a service-provider takedown. "This domain and website have been suspended because of abuse or copyright reasons," read a notice posted on the site. Similarly, according to news reports, some Skype users who have tested out the bug--or undocumented feature--have seen their accounts terminated by Skype, which was bought last year by Microsoft.

Furneaux said that any peer-to-peer based service, such as Skype, might--by design--reveal the IP addresses of anyone that a user connects to, for example, while having a conversation or transferring files. "But at least you are in a conversation with a 'known' person," he said. By contrast, the attack technique "can be used by and against anyone with a Skype account, regardless of whether they are a buddy," he said. "I hope that Skype takes a serious look at this, simply proxying contact requests would likely solve it, which wouldn't be awfully hard for them."

Microsoft Tuesday confirmed that it's investigating the bug, which according to The Wall Street Journal might have been detailed to Skype officials as far back as November 2010.

"We are investigating reports of a new tool that captures a Skype user's last known IP address," said Adrian Asher, director of product security at Skype, in a statement. But he likewise warned that the service, by its nature, can reveal details about connected users. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

This isn't the first privacy-related bug to surface on Skype. Last year, academic researchers released a paper, "I Know Where You Are And What You Are Sharing," that detailed techniques for probing Skype users' credentials without their knowledge, providing an attacker knew their target's birthdate and birth name, reported The Register.

"We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user[s] (if the user is currently active)," according to the paper. "In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user's public IP address. Such an attack could be used for many malicious purposes, including observing a person's mobility or linking the identity of a person to his Internet usage."

Using the gleaned information, researchers also were able to correlate BitTorrent downloading activity with Skype accounts, meaning they could positively identity people who were simultaneously using BitTorrent and Skype.

The researchers said the bug could be fixed by not disclosing any IP information until a Skype user accepted an incoming call.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SkiMan01
50%
50%
SkiMan01,
User Rank: Apprentice
5/3/2012 | 3:07:58 PM
re: Skype Bug Divulges IP Addresses
Years ago I had written a routine that was based on my PC server. The server looked like a gateway, even though it was my machine, and any incoming ping would always return an IP address of 127.0.0.1 In that way, any attempt to drop anything on my machine via my IP address dropped on your own hard drive.

Worked very well for all the years I had that old computer.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.