Warning: Skype Exploit reveals Users’ IP Addresses

Now this is nothing new because this exploit has been there for ages and it still isn't fixed and it probably can't be fixed since it would require a lot of Skype code to be re-written. When Microsoft took over Skype they only added some of their own stuff to it in the latest version 6.0 but the exploit is still there and still works. This shows again that Microsoft doesn't care about the privacy of their customers when it's too much effort to fix something like this.

So how does it work?

It's easy, turn on debug log creation in your Skype client then add a person you want the IP address from but you never sent the invitation, you just look at the persons informational card. Now Skype will write down the IP address of your 'victim' in the debug file, you can get anyone's IP on Skype this way as long as you know their name and as long as they are online. Once you have their IP you can do a lot of stuff with it. ddos-ing it seems the most popular option.

The most common mistake Skype users make regarding this exploit is that they think they need to accept the invitation but no, this is not the case, just being online is enough for somebody to get your IP address.

This is a major security issue. I know that every website you visit makes note of your IP in their logfiles, so do we, but it's almost impossible to connect a name to a specific IP address. You usually need to ask the service provider of that person to get that information and they won't usually give it to you without a court order.

We've seen a huge increase here in the Netherlands of ddos attacks on business connections, since a lot of businesses are using Skype these days, we've had a couple of news items where our ISPs had serious troubles with a lot of their business customers being under attack. (http://tweakers.net/nieuws/86881/ziggo-kampt-met-ddos-aanval-op-zakelijke-internetverbindingen.html). (In dutch).

The reason why I'm posting this right now is because Windows Live Messenger (MSN), which a lot of people are still using especially where I live in The Netherlands, is going to be replaced by Skype at the end of April and Microsoft is forcing people to migrate by that time. Of course I'm not using Skype as long as this exploit is there and I think anybody that cares about their privacy shouldn't.

For more information see: http://www.geekosystem.com/skype-exploit-ip/

Skype alternatives: http://www.makeuseof.com/tag/fed-up-with-skype-here-are-6-of-the-best-free-alternatives/

For advanced users / IT pro's, if you have to use Skype rent a VPS or dedicated server, built and use a SOCKS 5 proxy for use with Skype: http://sockdaily.org/socks-aritcles/how-to-use-socks-5-with-skype/

 

Wouldn't a VPN connection fix the problem?

Myself, i use Torguard and have 1 dedicated ip from them at the server of my choice plus tons of shared ip's.

When you're behind VPN network, the DDoS never goes to your home, but bombs the VPN infrastructure instead?

 

Microsoft finally fixed this. Well, sort of:

http://krebsonsecurity.com/2013/05/skype-beta-plugs-ip-resolver-privacy-leak/

 

that fix leaks unfortunately. Some paid and free resolvers can still get your ip. (such as: speedresolve/grabthatip)
Also, some others can pull old records while being unable to resolve your current ip with 100% certainity.

I blacklisted myself out (paid) from these sites and havent had any issues since then..