Skype Flaw Discloses IP Addresses
A security vulnerability in Skype could allow someone to identify a targeted user's IP address, according to a posted exploit on Pastebin.
The exploit instructions, posted by an anonymous individual, provides details on how to download a modified version of Skype 5.5 that could allow an attacker to turn on the debug-log file with the addition of specially crafted registry keys. The attacker can then view a user's Vcard (file format standard used by Skype), whether they appear on the attacker's friend list or not. The attacker would then have access to a user's IP address, city, country and specific Internet provider.
While Skype, which was purchased by Microsoft for $8.5 billion last year, hasn't confirmed whether the exploit is real, it said it is currently looking into the issue.
"We are investigating reports of a new tool that allegedly captures a Skype user's last known IP address," said a Skype representative. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them."
In October of last year, Skype acknowledged that it was theoretically possible to identify a user's IP address "just as with typical internet communications software", said Adrian Asher, Skype's chief information security officer, to Network World. Asher said that Skype continually monitors and improves security measures to avoid these types of exploits from spreading.
In response to the new exploit Skype has already begun blocking accounts of those using the modified client, according to Marcus Carey, security researcher for Rapid7. However, he believes that this will just cause attackers to create multiple accounts to avoid being detected and deleted.
He also said that if in the right hands, this exploit could be used in crime prevention. "This particular exploit is very beneficial to law enforcement personnel trying to gain the location of criminals who use Skype to communicate over the Internet," said Carey in an e-mailed response.