Skype's IP-leaking security bug creates denial-of-service cottage industry

It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location


  1. The “someone’s home” is a weird construction, are these tools used amongst and against finance workers?

  2. Isn’t this inherent in skype’s P2P nature?  How exactly do you propose you hide your IP in a P2P network?

    Bittorrent is essentially prone to the same problem: you expose your IP to your peers.  The only difference is bittorrent doesn’t happen to tie a username to your activities.

    But you could just as easily open a service like this to DDOS everyone downloading a specific piratebay torrent, for example.

    Bitcoin and spotify might be similarly exploitable.

    Initiating a direct file transfer via most IM clients similarly exposes IP addresses.

    “Leaking your IP” seems like a bit of a trumped-up threat. The phonebook also “leaks your telephone number”, but that’s the cost you pay for direct connections…

    1. Using your phonebook analogy…

      Even though you give your phone number to selected people, you still might want an unlisted number.

      There are many reasons why you don’t want *everyone* to have access to the information you give to certain parties. 

    2. If you had bothered to read the article, you would have seen that it doesn’t talk about getting the ip from a direct connection. That required that you have added someone and initiated a direct connection with him.
      These sites use a modified client that creates a debug log from where you can extract the last known IP the client has connected from.

    3. The bug is not that your IP is leaked when a call is established.  The bug is that even if you don’t answer, or even if you have blocked a particular Skype account from being able to call you, the IP address is still revealed.

      This is entirely unnecessary – Skype could be engineered so that your IP address is only revealed to the caller when you accept the call.

  3. It’s a shame for people that purchase a static IP address.  Seems like if you use Skype, you should change to a dynamic IP address while you’re doing it.  Or, better yet, don’t use Skype at all until they get around to fixing this security bug.

    If they never fix it, find a different service; Let them go out of business, they deserve it for this kind of gross ineptitude.

          1. Strange, it shows compatibility with Safari in Windows, but not Safari on Mac. Never seen that before. Guess for now have to use Chrome, Firefox Nightly on Mac?

  4. this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

    I can’t figure out what the intent was when mentioning “executives”… are they not individuals, and therefor already covered by the earlier phrasing?  Is their privacy somehow more important than other peoples’?

    1. “Is their privacy somehow more important than other peoples’?”

      I wouldn’t say it’s more ‘important’, but it’s potentially a lot more destructive.

      DDOSing your mum is likely to have a different affect to DDOSing the president of Verizon.

      Kind of a given isn’t it?

      1. Yeah – if you DDOS the president of Verizon, they’ll get some serious resources behind DDOS resistance.  If you DDOS someone’s mum, she’s quite likely to be dropped as a customer by her ISP, because it’s much easier for them than protecting her.

      2. So if I understand, “individuals and executives” is code for “people of little means and people of plentiful means”.  Got it.

    2.  It’s just distinguishing two different subjects referred to earlier in the sentence, and the respective threats to both. Stalkers tend to stalk individuals, not corporations.

Comments are closed.