Risk
5/2/2012
11:49 AM
50%
50%

Skype Bug Divulges IP Addresses

Microsoft investigating feature that lets attacker identify the internal and external IP addresses of anyone who's logged into Skype.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
A previously undisclosed feature in Skype allows any user to discern the external and internal IP addresses of everyone who's currently logged onto Skype.

"Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy," said Nick Furneaux, managing director of computer forensic services provider CSITech, in a blog post.

Knowledge about the vulnerability first surfaced last week in a Pastebin post from Russian hackers. The instructions involve using a patched version of deobfuscated Skype 5.5, and then enabling debug logging by altering a few registry keys. Reviewing the log file will divulge active users, and entering one of those usernames into Skype's "add a contact" feature--but not sending a request to add them as a contact--would then let an attacker click on the name and see their IP address information. Running that information through the whois service, meanwhile, can detail the user's city, country, and service provider.

The Pastebin post also includes a 19-line Perl script that automates the process of searching in the debug log. "I've tested this and it does what it says on the tin," meaning the script works as advertised. "I was able to extract the external and internal IPs of a friend in the U.S. to within a few miles of his house, a buddy in Asia to within a few streets, and my own to just a few miles down the road," said Furneaux.

[ Can the Middle East eavesdrop on Skype? See Skype Protocol Cracked. ]

But the bigger concern is that being able to discern someone's internal and external IP address "provides the basis for a direct probe and then attack of any individual on Skype's global address book," he said.

A related website recently debuted, which automated the Skype username lookup process. But the site, Skype-IP-Finder, was offline Wednesday, apparently due to a service-provider takedown. "This domain and website have been suspended because of abuse or copyright reasons," read a notice posted on the site. Similarly, according to news reports, some Skype users who have tested out the bug--or undocumented feature--have seen their accounts terminated by Skype, which was bought last year by Microsoft.

Furneaux said that any peer-to-peer based service, such as Skype, might--by design--reveal the IP addresses of anyone that a user connects to, for example, while having a conversation or transferring files. "But at least you are in a conversation with a 'known' person," he said. By contrast, the attack technique "can be used by and against anyone with a Skype account, regardless of whether they are a buddy," he said. "I hope that Skype takes a serious look at this, simply proxying contact requests would likely solve it, which wouldn't be awfully hard for them."

Microsoft Tuesday confirmed that it's investigating the bug, which according to The Wall Street Journal might have been detailed to Skype officials as far back as November 2010.

"We are investigating reports of a new tool that captures a Skype user's last known IP address," said Adrian Asher, director of product security at Skype, in a statement. But he likewise warned that the service, by its nature, can reveal details about connected users. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them."

This isn't the first privacy-related bug to surface on Skype. Last year, academic researchers released a paper, "I Know Where You Are And What You Are Sharing," that detailed techniques for probing Skype users' credentials without their knowledge, providing an attacker knew their target's birthdate and birth name, reported The Register.

"We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user[s] (if the user is currently active)," according to the paper. "In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user's public IP address. Such an attack could be used for many malicious purposes, including observing a person's mobility or linking the identity of a person to his Internet usage."

Using the gleaned information, researchers also were able to correlate BitTorrent downloading activity with Skype accounts, meaning they could positively identity people who were simultaneously using BitTorrent and Skype.

The researchers said the bug could be fixed by not disclosing any IP information until a Skype user accepted an incoming call.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SkiMan01
50%
50%
SkiMan01,
User Rank: Apprentice
5/3/2012 | 3:07:58 PM
re: Skype Bug Divulges IP Addresses
Years ago I had written a routine that was based on my PC server. The server looked like a gateway, even though it was my machine, and any incoming ping would always return an IP address of 127.0.0.1 In that way, any attempt to drop anything on my machine via my IP address dropped on your own hard drive.

Worked very well for all the years I had that old computer.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.