Newly found Skype exploit can reveal user's IP address [Update]

If you are using Skype, you might want to be aware of a newly discovered exploit that could be used by other Skype users to discover your remote and local IP addresses. A post on the skype-open-source  blog site (via News.com) reveals the details of this exploit.

The process is unfortunately pretty simple. First, a person can download a hacked version of SkypeKit and then change a few registry keys. Then all that person has to do is try to add a new Skype contact name in the program. The IP addressees are revealed when you click on a Skype user's information card. You don't even have to send a contact confirmation notice to that user, which means he or she will be unaware that you are viewing their IP addresses.

This method could be used to find out a Skype user's country and city, along which ISP he or she is using. It could also be used by hackers to go after a particular PC.  However, it only seems to work if a Skype user is online at the time. We have  contacted Skype for comment on this exploit and if they have plans to fix it.

Update - Microsoft sent over a statement from Adrian Asher, director of product security for Skype.

We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.

Report a problem with article
Previous Story

Angry Birds Space gets 50 million downloads in 35 days

Next Story

Windows 8 Metro inspired MySites for Chrome released

9 Comments

Commenting is disabled on this article.

Ridlas said,
An IP reveals where you live (City). To some people that might be risky.

Not really. If on (A)DSL, it gets it from the central base and that can be miles away. Example mine is about 100 miles away from where Im actually at.

.... Oh no... My IP!! /sarcasm. Who cares. If your security on your computer ends at obfuscation of your IP, you've already lost.

ah I remember the old days with AOL IM direct connect you could just do a netstat and get the IP of who you where connected to... now days this is considered an exploit in a P2P system.. hehe spoiled people with P2P, back in my day we had to directly connect to a system to do binary communication *shakes cane at you*

neufuse said,
ah I remember the old days with AOL IM direct connect you could just do a netstat and get the IP of who you where connected to... now days this is considered an exploit in a P2P system.. hehe spoiled people with P2P, back in my day we had to directly connect to a system to do binary communication *shakes cane at you*

A'yup!
But remember: A hidden IP is always a plus.
I wouldn't have ever expected my IP to be safe from insight with any instant messenger unless I'm connected like through a VPN though.

So if there are people who ever counted on it, I pity those fools.

GS:mac

However, it only seems to work if a Skype user is online at the time. We have contacted Skype for comment on this exploit and if they have plans to fix it.

Probably means Skype aren't logging IP's and even if they are then they're not readily accessible.

lt8480 said,

Probably means Skype aren't logging IP's and even if they are then they're not readily accessible.


Don't be stupid, EVERY website and/or internet service logs IPs. How do you check if an account was hacked? If feds need something as evidence in court, how can you proove who sent it? Everything is logged.
I don't see this as a security hazard anyway, as the people that found it say, skype DOES P2P stuff so unless people are happy with the cost of skype going up massively for the cost it'd be for new servers and datacenters then I think it's fine as is. Get a firewall, you're mostly safe.

n_K said,

Don't be stupid, EVERY website and/or internet service logs IPs. How do you check if an account was hacked? If feds need something as evidence in court, how can you proove who sent it? Everything is logged.
I don't see this as a security hazard anyway, as the people that found it say, skype DOES P2P stuff so unless people are happy with the cost of skype going up massively for the cost it'd be for new servers and datacenters then I think it's fine as is. Get a firewall, you're mostly safe.

Trust me EVERY website doesn't log IPs, and definitely not EVERY website in the manner I implied - that is IPs against an individuals account.

Whilst the server may be logging IPs, it doesn't mean that you can necessarily connect it with someone or even an account, IPs aren't exactly the best way of proving something in court, mainly because they can be manipulated so easily.

Whilst my house number stuck to my door is assumed to be correct - I could quite easily change it.