Skype Vulnerability Exposing User IP Addresses

Skype is warning users following the launch of a site devoted to harvesting user IP addresses.The Skype IP-Finder site allowed third-parties to see a user's last known IP address by simply typing in a user name.

A script has been uploaded to Github that offers these options. According to the page, it can be used to lookup IP addresses of online Skype accounts, and return both the remote and the local IP of that account on a website.

The script is for instance available on this site. Just enter the user name of a Skype user, fill out the captcha, and click the search button to initiate the lookup. You will receive the user’s remote IP and port, as well as the local IP and port.

Adrian Asher, director of product Security, Skype “We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”

The proof of concept is fairly simple. All an attacker needs to do is download a special Skype variant and alter a few registry keys to enable debug-log file creation.When adding a Skype contact, before sending the actual request, the victim’s information card can be viewed. At this point, the log file records the user’s IP address.

The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target.

This particular flaw was discussed in a paper presented by an international team of researchers in November at the Internet Measurement Conference 2011 in Berlin.

There is currently no way of protecting yourself against the lookup of the IP address, other than not logging in to Skype when the software is not needed. The only other option would be the use of a virtual private network or proxy to hide the IP address from users who look it up.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.