Sign in with
Sign up | Sign in

Microsoft Investigating Skype Breach Exposing IP Addresses

By - Source: PC Magazine | B 12 comments

A patched version of Skype 5.5 allows the user to acquire the IP address of any Skype member that's currently signed on to the network.

Microsoft is reportedly looking into a Skype vulnerability that allows a third party to view a user's last known IP address. The exploit was first made known last week via instructions on Pastebin showing how someone can download a patched version of Skype and obtain any Skype member's IP address whether they're contacts or total strangers.

"We are investigating reports of a new tool that allegedly captures a Skype user's last known IP address," a Skype representative said in an emailed statement. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them."

After downloading the patched client, IP snoopers can turn on dubug-log file creation by adding a few registry keys. After that, they can add a Skype contact simply by viewing the user's Vcard -- sending an add request is not needed. However both the snooper and the victim must be online -- IP addresses cannot be obtained when targets sign off the network.

"Take look in the log of the desired skypename," the instructions read. "The record will be like this for real user IP: -r195.100.213.25:31101. And like this for user internal network card IP: -l172.10.5.17."

Once obtained, the IP address can then be used in a WHOIS service to acquire the target's city, country, Internet Service Provider and internal user IP address. Other details like name and telephone number typically can't be obtained.

Microsoft scooped up Skype back in October 2011 for a meaty $8.5 billion. Since then, Skype has arrived on Windows Phone and Sony's PlayStation Vita. There are also signs that Microsoft plans to introduce Skype as a Web app for browsers later this year, and that the popular VoIP service is finally headed to the Xbox 360 console.

So far Microsoft and Skype have not released an official public statement regarding the IP snooping tool. "Our security experts are aware of it and looking into it already," said Skype's community manager Monday morning. Skype users are suggested to sign off when they're not using the service until the issue is resolved.

Discuss
Display all 12 comments.
This thread is closed for comments
  • 3 Hide
    blazorthon , May 1, 2012 8:51 PM
    That's one of the worst such vulnerabilities that I've ever heard of.
  • 3 Hide
    born2rock4life , May 1, 2012 9:54 PM
    Haven't seen a vulnerability like this since you could use Direct Connect in AIM to share images, and then run a netstat -r. Good times.
  • 0 Hide
    Anonymous , May 1, 2012 10:13 PM
    sounds like a lot of cam "workers" are gonna find themselves real life stalkers.
  • 4 Hide
    opmopadop , May 2, 2012 12:11 AM
    I was just about to say "I havnt seen the Skype app in the marketplace" but thought I would check first... Wooohooo! Time to spend those sweet sweet Skype credits.
  • 9 Hide
    computernerdforlife , May 2, 2012 1:05 AM
    This reminds of the good old ICQ days where the IP address was listed in everyone's profile. I used to use a program called Sub7 to rotate other peoples screens and eject their cd trays to make they sh!t. The 90's were fun. :) 
  • 0 Hide
    house70 , May 2, 2012 1:41 AM
    You kinda broadcast your IP address when you go online. It's NOT a secret.
    That being said, this should NOT have happened nowadays. What kind of "patch" is that?
    Always logging off any online services when done with them - that should be common sense, but a lot of people don't exercise it.
  • -1 Hide
    house70 , May 2, 2012 1:47 AM
    my first post disappeared while uploading... this site is buggier than a 20 year old mattress...

    Anyways, logging off any online service when done using them is basic common sense - but a lot of people don't exercise it.
    Who made that patch, anyways? that dude needs his arse fired for incompetence.
    Finally, it sounds bad as it is, but you're broadcasting your IP address every time you're online. It's not a secret. The patch needs...patching, but it is not the end of the world.
  • -1 Hide
    house70 , May 2, 2012 1:48 AM
    Of course, no edit button... Sorry for the double post.
  • 0 Hide
    JOSHSKORN , May 2, 2012 4:58 AM
    How about getting rid of the ability to get someone else's IP through netstat -n ?
  • 0 Hide
    opmopadop , May 2, 2012 1:31 PM
    house70Of course, no edit button... Sorry for the double post.

    All good, edit is hiding under the 'Read the comments fro mthe forums' link... and then it sometimes works ;-)
  • 0 Hide
    blazorthon , May 2, 2012 1:43 PM
    opmopadopAll good, edit is hiding under the 'Read the comments fro mthe forums' link... and then it sometimes works ;-)


    It shouldn't work on the Tom's Guide articles, just the Tom's Hardware articles.
  • 0 Hide
    devpuma , May 2, 2012 9:04 PM
    Crysis 2's multiplayer had a similar problem, you could see the IP addresses of all the players in the server you were playing in.

    Not sure if they ever fixed that.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter