Code posted online that can skim the last known IP address of users is being checked out by Skype as a possible security flaw.
The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online without calling them. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target.
“I’ve tested this and it does what it says on the tin,” blogged Nick Furneaux, MD of security researchers CSITech. “I was able to extract the external and internal IP’s of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road. More concerningly the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype’s global address book.”
He said a website had been set up to provide an easier way to exploit the IP tracking but that it hadn’t yet been checked out for malware. The site is down at present.
Before everyone panics, it is not clear if the problem affects the current corporate build of Skype or just the deobfuscated build mentioned in the posting. Skype, and presumably Microsoft given the amount of integration Redmond is planning with its code base, are no doubt hoping it’s the latter situation. In any case, simply turning off the software when you’re not using it minimizes any threat window.
“We are investigating reports of a new tool that captures a Skype user’s last known IP address,” Adrian Asher, director of product security at Skype told El Reg in an emailed statement. “This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them.”