back to article Skype slurping software threatens IP exposure

Code posted online that can skim the last known IP address of users is being checked out by Skype as a possible security flaw. The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online without …

COMMENTS

This topic is closed for new posts.
  1. Nate Amsden

    what's the big deal?

    What's the big deal if someone else can find your ip? I find it very humorous that people go out of their way to obscure things like mac addresses, host names, and even IPs (especially internal IPs). Sad too.

    1. Anonymous Coward
      Anonymous Coward

      Re: what's the big deal?

      The IP addresses aren't the big deal, its the fact that you can be tracked.

      That's a bit creepy.

      1. RAMChYLD
        Boffin

        Re: what's the big deal?

        Tracked?

        I cycle the power of my fiber box very, very often (as in, power it off when I'm not using the internet). My ISP also provides me a dynamic IP address with every power cycle, since they're greedy and you need to buy a business package for four times the price to get a static IP.

        I do feel sorry for the guy who gets my IP address after my modem is turned off tho. Know how that felt- one time I was banned from IRC because one of the previous users of the ISP who got the IP went into the server and acted like a d**k.

    2. nexsphil

      Re: what's the big deal?

      In that case you won't mind if I take your home address right now then. Not keen? Well there's your reason, "sad" as it is.

      1. Matt Bryant Silver badge
        Facepalm

        Re: what's the big deal?

        "....you won't mind if I take your home address...." There's a bit of a difference between having someone's IP address and their actual home address. At best, if they're on a fixed IP address, you still have to find a means to relate that into a physical home address. If you're worried you can always ask your ISP to change your IP address, and if you're on a DHCP service you can simple release/renew to get a new IP address anyway. If you're really worried, disconnect and make yourself a bigger tinfoil hat.

        Having said that, you're probably of very littel interest to anyone other than Google, and they've probably already slurped your WiFi and left an hundred-and-one cookies in your browser, all telling Sergey all he wants to know about your online habits.

        1. Anonymous Coward
          Anonymous Coward

          Re: left an hundred-and-one cookies

          Why do I have to keep repeating? It's not the cookies in your browser, it's the data they get about you from the stat utilities they run from the websites that's the problem. Which is why you don't have to be using a Google account for them to get data about you?

        2. nexsphil

          Re: what's the big deal?

          Real address can be resolved with complete accuracy via a dynamic IP - by direct request to the ISP. Chanting "tinfoil hat" like an infantile "abracadabra" will not make reality go away, unfortunately.

          1. Matt Bryant Silver badge
            FAIL

            Re: Re: what's the big deal?

            "Real address can be resolved with complete accuracy via a dynamic IP - by direct request to the ISP...." Yeah, you just go try that then, see if you get an address out of them. A law-enforcement agency might, working within the legal guidelines of the country involved. So not a problem in the UK or US or most of the Western World where there are strict legal guidelines for such activity, and if you're likely to be of interest to the law anywhere else then they've probably already got all kinds of filters and tracking on your local Internet anyway (think China, Iran, etc). Western police can get a warrant to tap your Skype any time they have a legal argument to do so, along with all your other electronic communications, no need for Skype hacks.

            "....Chanting "tinfoil hat" like an infantile "abracadabra" will not make reality go away...." Living outside reality because someone told you it's cool to "fear the Man" is beyond infantile. I can just about guarantee that no matter how big a rebel you think you are, you're probably of zero interest to anyone of authority. They have finite budgets and resources and a lot bigger fish to fry.

    3. Chris 3

      Re: what's the big deal?

      The big deal is that you don't have to be online for this to work. Knowing someone's Skype ID when their logged off is enough to track their most recent IP and therefore rough location. It's a daft bit of design.

  2. Artestro

    "Before everyone panics, it is not clear if the problem affects the current corporate build of Skype or just the deobfuscated build mentioned in the posting". Inconsequential, as clearly only the attackers software needs to be modified. If the blog is correct then all users would be vulnerable.

  3. Voland's right hand Silver badge
    Devil

    Part of the system design unfortunately :(

    Being a P2P system skype needs the other person IP to communicate directly. There will always be a way of extracting the destination IP with Skype. If Skype fixes the bug which allows extracting it from Skype itself you can still sniff network traffic and see where it goes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Part of the system design unfortunately :(

      True, you can't stop someone finding the IP address of a person they are talking to, but this goes beyond that and effectively provides a handy surveillance tool. With this anyone can find out what IP address (and port number, going by the blog) a person is currently operating from, without alerting that person of the sniffing.

      Definitely a security flaw.

    2. Colin Miller

      Re: Part of the system design unfortunately :(

      However, Skype could block the exchange of IP addresses until both parties agree to accept the call

      Something like this

      1) The caller contacts Skype's servers, and asks to connect to the receiver,

      2) Skype contacts the receiver and asks if the the receiver is willing to take the call

      3) If yes, then, and only then does Skype inform the caller and receiver of each other's public IP addresses.

      It does add more work to Skype's servers (rather than being listing service), and is slightly less resilient if the servers go down (as a listing service the caller could try asking at the receiver's last known IP address).

  4. stanimir

    Skype does security through obscurity - which never works for a determined cracker. Skype is P2P, i.e. there will be a way to find out the IP.

    The only way to fight that would be "non-contacts" to go through a set of designated master nodes and the latter will break any backward compatibility.

    1. Anonymous Coward
      Anonymous Coward

      Err...

      Security through obscurity doesn't work? I'd imagine that's why gchq publish all their encryption algorithms on their web site... Err..

      1. stanimir

        Re: Err... (Security through obscurity)

        If you have the application on your disposal the algorithm is there to be crack open. Long are days gone when I used to disassemble programs but there is nothing so hard developed since then. Even games running game-guard, etc get their protocols cracked

        If there is any real and profitable opportunity I bet skype will be just exposed.

  5. Andrew Moore

    Question...

    Does anyone know who Marius Milner is working for these days?

  6. Anonymous Coward
    Anonymous Coward

    I have almost given up on Skype nowadays. It's OK for doing Skype-to-Skype stuff on, but I find it less and less reliable for calling actual telephones. I can't remember the last time it let me call a number starting with 08... without the line dropping almost immediately

    1. petur
      Thumb Up

      Indeed, and proper standard VOIP (sip) is so much cheaper due to all those offers. And you can (I did) port your landline number over to one of them.

    2. Lockwood

      I use SkypeOut to get free 0800 calls from my mobile!

    3. Andrew Moore

      It didn't really occur to me that people were doing Skype-to-non-Skype calling. I think the last time I check, the standard tarriff on my mobile was just as good as Skypes prices.

      1. Lockwood
        Facepalm

        I had a hilarious moment in 2010, I wanted to phone ComReg in RoI before I crossed the border to check something.

        I was told that to direct dial from the hotel (in NI) would cost a fortune, and that my mobile would cost a fair bit, too.

        I decided to call my Brighton SkypeOut number to call the RoI and take it from my Skype credit at something like 1.1p a minute.

        Calling RoI from NI via England. Woohoo.

        (Of course, ComReg didn't have anyone in the department I needed, so I ended up trying a backup plan and seeing if Ofcom could advise me, which they grudgingly did)

  7. Anonymous Coward
    Anonymous Coward

    "We are committed to"

    The bullshit alarm just went off

  8. curlywurly

    I'm moved to the US, and found Skype2Go/Skype out to be one of the least expensive options for calling from my US mobile to a UK mobile, yes, you can get deals on international calling from US mobile to UK landline, but interantional mobile to mobile, well I couldn't find many lower cost options, and I refuse to give AT&T any more many than I need.

    I used Tango now as well, if I'm on WiFi, and the other person I'm calling is on WiFi, it is in esssence free, and has few neat tools, I also found the audio better than Skype.

    1. Anonymous Coward
      Anonymous Coward

      You can't have looked too hard

      I've been using voipstunt for the better part of 10 years now. Rates to mobiles in the UK are only marginally cheaper than Skype, but calls to landlines are free*, and so are calls from the UK to my VoipIn number, which automatically redirects to my US cell phone. I don't even use the Voipstunt client - I call a US number which forwards the call (no shortage of free minutes on my calling plan).

      (*It costs about $16 to get a topup that give you 120 days of free calls to landlines. If you make an hours worth of calls to mobiles in any 4 month period, you basically get free landline calls, and free inbound calls).

This topic is closed for new posts.

Other stories you might like