Feeds

Skype slurping software threatens IP exposure

It's a P2P problem says Redmond subsidiary

SANS - Survey on application security programs

Code posted online that can skim the last known IP address of users is being checked out by Skype as a possible security flaw.

The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online without calling them. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target.

"I've tested this and it does what it says on the tin," blogged Nick Furneaux, MD of security researchers CSITech. "I was able to extract the external and internal IP's of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road. More concerningly the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype's global address book."

He said a website had been set up to provide an easier way to exploit the IP tracking but that it hadn't yet been checked out for malware. The site is down at present.

Before everyone panics, it is not clear if the problem affects the current corporate build of Skype or just the deobfuscated build mentioned in the posting. Skype, and presumably Microsoft given the amount of integration Redmond is planning with its code base, are no doubt hoping it's the latter situation. In any case, simply turning off the software when you're not using it minimizes any threat window.

"We are investigating reports of a new tool that captures a Skype user’s last known IP address," Adrian Asher, director of product security at Skype told El Reg in an emailed statement. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.