TMCNet:  Skype Responds to IP Address Privacy Vulnerability

[May 01, 2012]

Skype Responds to IP Address Privacy Vulnerability

Originally posted on VoIP & Gadgets Blog, here:

Yesterday it was reported that a simple script could expose any Skype user's IP address. A Microsoft representative saw my article and gave me this official response, which they also provided to other media outlets:

“We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”

Adrian Asher, director of product Security, Skype

It's a bit of a non-answer if you ask me. True, P2P by its very nature is going to create connections between your computer/mobile and your 'target' computer/mobile. As such, it's not difficult to determine what IP addresses you are connecting to.

However, Skype leverages supernodes for a large portion of their infrastructure. I believe the supernodes handle authentication as well as call setup (or IM setup). So these supernodes act as an intermediary (proxy) between peer1 (your computer) and peer2 (target computer).

Thus, I wouldn't expect peer1 to see peer2's IP address. Apparently, this vulnerability leverages the search feature in Skype and viewing their vcard info and presence (online/offline). My guess is that Skype queries the supernodes when searching for a Skype user, but then once it find the user, it sets up a direct P2P session between your computer and the Skype user you searched for and pulls the relevant vcard / presence information. Game, Set, Match! IP address exposed!

If my assumptions are correct, I can see why Skype set it up this way. If they use supernodes to also "pull" the vcard and presence information, that's an additional load on the supernodes. I'm fairly sure, but not positive that your existing Skype buddies also make a direct P2P connection with each buddy to pull presence information, which also would expose IP addresses. But if you have 100 buddies, trying to figure out which 1 out of 100 buddies is their IP address would be difficult. If Skype made a technical change forcing each Skype client to pull presence info via supernodes (pseudo proxy) instead of direct P2P connections, that would drastically impact performance of the Skype network. This may be a huge architectural change to solve this IP address vulnerability.

However, Skype could simply change their search function to use supernodes (mask IP addresses) and allow the Skype client to query their buddies using P2P (IP addresses can be determined). At least this would block any non-buddy from determining your IP address. may be wrong in my technical assessment, so I will reach out to Skype for further comment on this. Stay tuned...

Tags: , , , , , , , Related tags: , , , , ,

Related Entries
  • Skype@Home Telephone Products Coming? - Apr 20, 2012
  • Google's Chrome Team Reveals WebRTC Roadmap - Apr 18, 2012
  • Microsoft Working on HTML5 Skype Web App? - Apr 16, 2012
  • Microsoft Lync 2010, Asterisk & Skype Integration Tutorial - Dec 28, 2011
  • It's Official - Skype Now Part of Microsoft! - Oct 14, 2011
  • Skype Click to Call Add-on Now Supports Firefox 5 & 6 - Aug 24, 2011
  • Skype (Microsoft) Blows $85 Million on GroupMe - Aug 22, 2011
  • Top 20 VoIP Innovators of All Time - Jun 13, 2011
  • Jabra SPEAK 410 Review - Apr 21, 2011
  • ClearOne Launches Speakerphones For Microsoft Lync & Skype - Feb 28, 2011
  • TrackBacks | Comments | Tag with | VoIP & Gadgets Blog Home | Permalink: Skype Responds to IP Address Privacy Vulnerability

    [ Back To HTML5's Homepage ]


    HTML 5 Demos and Examples

    HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

    HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

    The HTML5 test

    How well does your browser support HTML5?... Learn More

    Working Draft (WHATWG)

    This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

    HTML5 Flip Book

    Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More