Skype's IP-leaking security bug creates denial-of-service cottage industry


23 Responses to “Skype's IP-leaking security bug creates denial-of-service cottage industry”

  1. EH says:

    The “someone’s home” is a weird construction, are these tools used amongst and against finance workers?

  2. merreborn says:

    Isn’t this inherent in skype’s P2P nature?  How exactly do you propose you hide your IP in a P2P network?

    Bittorrent is essentially prone to the same problem: you expose your IP to your peers.  The only difference is bittorrent doesn’t happen to tie a username to your activities.

    But you could just as easily open a service like this to DDOS everyone downloading a specific piratebay torrent, for example.

    Bitcoin and spotify might be similarly exploitable.

    Initiating a direct file transfer via most IM clients similarly exposes IP addresses.

    “Leaking your IP” seems like a bit of a trumped-up threat. The phonebook also “leaks your telephone number”, but that’s the cost you pay for direct connections…

    • Aleknevicus says:

      Using your phonebook analogy…

      Even though you give your phone number to selected people, you still might want an unlisted number.

      There are many reasons why you don’t want *everyone* to have access to the information you give to certain parties. 

    • alexk says:

      If you had bothered to read the article, you would have seen that it doesn’t talk about getting the ip from a direct connection. That required that you have added someone and initiated a direct connection with him.
      These sites use a modified client that creates a debug log from where you can extract the last known IP the client has connected from.

    • dragonfrog says:

      The bug is not that your IP is leaked when a call is established.  The bug is that even if you don’t answer, or even if you have blocked a particular Skype account from being able to call you, the IP address is still revealed.

      This is entirely unnecessary – Skype could be engineered so that your IP address is only revealed to the caller when you accept the call.

  3. Cowicide says:

    It’s a shame for people that purchase a static IP address.  Seems like if you use Skype, you should change to a dynamic IP address while you’re doing it.  Or, better yet, don’t use Skype at all until they get around to fixing this security bug.

    If they never fix it, find a different service; Let them go out of business, they deserve it for this kind of gross ineptitude.

  4. SomeDude says:

    this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

    I can’t figure out what the intent was when mentioning “executives”… are they not individuals, and therefor already covered by the earlier phrasing?  Is their privacy somehow more important than other peoples’?

    • “Is their privacy somehow more important than other peoples’?”

      I wouldn’t say it’s more ‘important’, but it’s potentially a lot more destructive.

      DDOSing your mum is likely to have a different affect to DDOSing the president of Verizon.

      Kind of a given isn’t it?

    • Gilbert Wham says:

       It’s just distinguishing two different subjects referred to earlier in the sentence, and the respective threats to both. Stalkers tend to stalk individuals, not corporations.

Leave a Reply