Skype Flaw Discloses IP Addresses

A security vulnerability in Skype could allow someone to identify a targeted user's IP address, according to a posted exploit on Pastebin.

The exploit instructions, posted by an anonymous individual, provides details on how to download a modified version of Skype 5.5 that could allow an attacker to turn on the debug-log file with the addition of specially crafted registry keys. The attacker can then view a user's Vcard (file format standard used by Skype), whether they appear on the attacker's friend list or not. The attacker would then have access to a user's IP address, city, country and specific Internet provider.

While Skype, which was purchased by Microsoft for $8.5 billion last year, hasn't confirmed whether the exploit is real, it said it is currently looking into the issue.

"We are investigating reports of a new tool that allegedly captures a Skype user's last known IP address," said a Skype representative. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them."

In October of last year, Skype acknowledged that it was theoretically possible to identify a user's IP address "just as with typical internet communications software", said Adrian Asher, Skype's chief information security officer, to Network World. Asher said that Skype continually monitors and improves security measures to avoid these types of exploits from spreading.

In response to the new exploit Skype has already begun blocking accounts of those using the modified client, according to Marcus Carey, security researcher for Rapid7. However, he believes that this will just cause attackers to create multiple accounts to avoid being detected and deleted.

He also said that if in the right hands, this exploit could be used in crime prevention. "This particular exploit is very beneficial to law enforcement personnel trying to gain the location of criminals who use Skype to communicate over the Internet," said Carey in an e-mailed response.


About the Author

Chris Paoli is the site producer for and


  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.