11:49 AM

Skype Bug Divulges IP Addresses

Microsoft investigating feature that lets attacker identify the internal and external IP addresses of anyone who's logged into Skype.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
A previously undisclosed feature in Skype allows any user to discern the external and internal IP addresses of everyone who's currently logged onto Skype.

"Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy," said Nick Furneaux, managing director of computer forensic services provider CSITech, in a blog post.

Knowledge about the vulnerability first surfaced last week in a Pastebin post from Russian hackers. The instructions involve using a patched version of deobfuscated Skype 5.5, and then enabling debug logging by altering a few registry keys. Reviewing the log file will divulge active users, and entering one of those usernames into Skype's "add a contact" feature--but not sending a request to add them as a contact--would then let an attacker click on the name and see their IP address information. Running that information through the whois service, meanwhile, can detail the user's city, country, and service provider.

The Pastebin post also includes a 19-line Perl script that automates the process of searching in the debug log. "I've tested this and it does what it says on the tin," meaning the script works as advertised. "I was able to extract the external and internal IPs of a friend in the U.S. to within a few miles of his house, a buddy in Asia to within a few streets, and my own to just a few miles down the road," said Furneaux.

[ Can the Middle East eavesdrop on Skype? See Skype Protocol Cracked. ]

But the bigger concern is that being able to discern someone's internal and external IP address "provides the basis for a direct probe and then attack of any individual on Skype's global address book," he said.

A related website recently debuted, which automated the Skype username lookup process. But the site, Skype-IP-Finder, was offline Wednesday, apparently due to a service-provider takedown. "This domain and website have been suspended because of abuse or copyright reasons," read a notice posted on the site. Similarly, according to news reports, some Skype users who have tested out the bug--or undocumented feature--have seen their accounts terminated by Skype, which was bought last year by Microsoft.

Furneaux said that any peer-to-peer based service, such as Skype, might--by design--reveal the IP addresses of anyone that a user connects to, for example, while having a conversation or transferring files. "But at least you are in a conversation with a 'known' person," he said. By contrast, the attack technique "can be used by and against anyone with a Skype account, regardless of whether they are a buddy," he said. "I hope that Skype takes a serious look at this, simply proxying contact requests would likely solve it, which wouldn't be awfully hard for them."

Microsoft Tuesday confirmed that it's investigating the bug, which according to The Wall Street Journal might have been detailed to Skype officials as far back as November 2010.

"We are investigating reports of a new tool that captures a Skype user's last known IP address," said Adrian Asher, director of product security at Skype, in a statement. But he likewise warned that the service, by its nature, can reveal details about connected users. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

This isn't the first privacy-related bug to surface on Skype. Last year, academic researchers released a paper, "I Know Where You Are And What You Are Sharing," that detailed techniques for probing Skype users' credentials without their knowledge, providing an attacker knew their target's birthdate and birth name, reported The Register.

"We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user[s] (if the user is currently active)," according to the paper. "In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user's public IP address. Such an attack could be used for many malicious purposes, including observing a person's mobility or linking the identity of a person to his Internet usage."

Using the gleaned information, researchers also were able to correlate BitTorrent downloading activity with Skype accounts, meaning they could positively identity people who were simultaneously using BitTorrent and Skype.

The researchers said the bug could be fixed by not disclosing any IP information until a Skype user accepted an incoming call.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/3/2012 | 3:07:58 PM
re: Skype Bug Divulges IP Addresses
Years ago I had written a routine that was based on my PC server. The server looked like a gateway, even though it was my machine, and any incoming ping would always return an IP address of In that way, any attempt to drop anything on my machine via my IP address dropped on your own hard drive.

Worked very well for all the years I had that old computer.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.