Skype's IP-leaking security bug creates denial-of-service cottage industry

It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).
Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.
Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: ddos • security • skype

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

EH

The “someone’s home” is a weird construction, are these tools used amongst and against finance workers?
merreborn

Isn’t this inherent in skype’s P2P nature? How exactly do you propose you hide your IP in a P2P network?

Bittorrent is essentially prone to the same problem: you expose your IP to your peers. The only difference is bittorrent doesn’t happen to tie a username to your activities.

But you could just as easily open a service like this to DDOS everyone downloading a specific piratebay torrent, for example.

Bitcoin and spotify might be similarly exploitable.

Initiating a direct file transfer via most IM clients similarly exposes IP addresses.

“Leaking your IP” seems like a bit of a trumped-up threat. The phonebook also “leaks your telephone number”, but that’s the cost you pay for direct connections…
- Aleknevicus
  
  Using your phonebook analogy…
  
  Even though you give your phone number to selected people, you still might want an unlisted number.
  
  There are many reasons why you don’t want *everyone* to have access to the information you give to certain parties.
- http://twitter.com/alexkiousis alexk
  
  If you had bothered to read the article, you would have seen that it doesn’t talk about getting the ip from a direct connection. That required that you have added someone and initiated a direct connection with him.
  These sites use a modified client that creates a debug log from where you can extract the last known IP the client has connected from.
- dragonfrog
  
  The bug is not that your IP is leaked when a call is established. The bug is that even if you don’t answer, or even if you have blocked a particular Skype account from being able to call you, the IP address is still revealed.
  
  This is entirely unnecessary – Skype could be engineered so that your IP address is only revealed to the caller when you accept the call.
Cowicide

It’s a shame for people that purchase a static IP address. Seems like if you use Skype, you should change to a dynamic IP address while you’re doing it. Or, better yet, don’t use Skype at all until they get around to fixing this security bug.

If they never fix it, find a different service; Let them go out of business, they deserve it for this kind of gross ineptitude.
- http://www.nathanhornby.com/ Nathan Hornby
  
  Some new in-browser SIP options coming soon thanks to new browser technology. Stay tuned.
  - Cowicide
    
    This?
    
    http://code.google.com/p/sipml5/
    - http://www.nathanhornby.com/ Nathan Hornby
      
      I believe so yes!
      
      (I’m working on a product in a ‘non-technical’ capacity that’s launching next month)
      - Cowicide
        
        Very cool! Good luck!
      - http://www.nathanhornby.com/ Nathan Hornby
        
        It really is super cool.
        
        Our primary involvement is design (we’re an agency) but I’ll pass it on!
      - Cowicide
        
        Guess we can say bye to Skype! ;D
      - http://www.nathanhornby.com/ Nathan Hornby
        
        Hopefully, it’s been an unreliable POS for years.
      - Cowicide
        
        Yep, not to mention an Achilles’ heel for security over the years as well.
    - http://www.nathanhornby.com/ Nathan Hornby
      
      Just spotted a reference to WebRTC – that’s the ticket.
      - Cowicide
        
        Strange, it shows compatibility with Safari in Windows, but not Safari on Mac. Never seen that before. Guess for now have to use Chrome, Firefox Nightly on Mac?
SomeDude

this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

I can’t figure out what the intent was when mentioning “executives”… are they not individuals, and therefor already covered by the earlier phrasing? Is their privacy somehow more important than other peoples’?
- http://www.nathanhornby.com/ Nathan Hornby
  
  “Is their privacy somehow more important than other peoples’?”
  
  I wouldn’t say it’s more ‘important’, but it’s potentially a lot more destructive.
  
  DDOSing your mum is likely to have a different affect to DDOSing the president of Verizon.
  
  Kind of a given isn’t it?
  - invictus
    
    Not to mention the latter being able to apply far greater pressure on M$.
    
    I note Skype does promote its services specifically for business settings. There must be a corporation or two out there who’ll sit up and take notice of this glaring security hole, right? Right?
  - dragonfrog
    
    Yeah – if you DDOS the president of Verizon, they’ll get some serious resources behind DDOS resistance. If you DDOS someone’s mum, she’s quite likely to be dropped as a customer by her ISP, because it’s much easier for them than protecting her.
  - SomeDude
    
    So if I understand, “individuals and executives” is code for “people of little means and people of plentiful means”. Got it.
    - http://www.nathanhornby.com/ Nathan Hornby
      
      It’s got bugger-all to do with ‘means’, I was talking about impact.
      
      Is this really debatable?
- Gilbert Wham
  
  It’s just distinguishing two different subjects referred to earlier in the sentence, and the respective threats to both. Stalkers tend to stalk individuals, not corporations.