TMCnet - World's Largest Communications and Technology Community



Skype Responds to IP Address Privacy Vulnerability
[May 01, 2012]

Skype Responds to IP Address Privacy Vulnerability

Originally posted on VoIP & Gadgets Blog, here:

Yesterday it was reported that a simple script could expose any Skype user's IP address. A Microsoft representative saw my article and gave me this official response, which they also provided to other media outlets:

“We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”

Adrian Asher, director of product Security, Skype

It's a bit of a non-answer if you ask me. True, P2P by its very nature is going to create connections between your computer/mobile and your 'target' computer/mobile. As such, it's not difficult to determine what IP addresses you are connecting to.

However, Skype leverages supernodes for a large portion of their infrastructure. I believe the supernodes handle authentication as well as call setup (or IM setup). So these supernodes act as an intermediary (proxy) between peer1 (your computer) and peer2 (target computer).

Thus, I wouldn't expect peer1 to see peer2's IP address. Apparently, this vulnerability leverages the search feature in Skype and viewing their vcard info and presence (online/offline). My guess is that Skype queries the supernodes when searching for a Skype user, but then once it find the user, it sets up a direct P2P session between your computer and the Skype user you searched for and pulls the relevant vcard / presence information. Game, Set, Match! IP address exposed!

If my assumptions are correct, I can see why Skype set it up this way. If they use supernodes to also "pull" the vcard and presence information, that's an additional load on the supernodes. I'm fairly sure, but not positive that your existing Skype buddies also make a direct P2P connection with each buddy to pull presence information, which also would expose IP addresses. But if you have 100 buddies, trying to figure out which 1 out of 100 buddies is their IP address would be difficult. If Skype made a technical change forcing each Skype client to pull presence info via supernodes (pseudo proxy) instead of direct P2P connections, that would drastically impact performance of the Skype network. This may be a huge architectural change to solve this IP address vulnerability.

However, Skype could simply change their search function to use supernodes (mask IP addresses) and allow the Skype client to query their buddies using P2P (IP addresses can be determined). At least this would block any non-buddy from determining your IP address. may be wrong in my technical assessment, so I will reach out to Skype for further comment on this. Stay tuned...

Tags: , , , , , , , Related tags: , , , , ,

Related Entries
  • Skype@Home Telephone Products Coming? - Apr 20, 2012
  • Google's Chrome Team Reveals WebRTC Roadmap - Apr 18, 2012
  • Microsoft Working on HTML5 Skype Web App? - Apr 16, 2012
  • Microsoft Lync 2010, Asterisk & Skype Integration Tutorial - Dec 28, 2011
  • It's Official - Skype Now Part of Microsoft! - Oct 14, 2011
  • Skype Click to Call Add-on Now Supports Firefox 5 & 6 - Aug 24, 2011
  • Skype (Microsoft) Blows $85 Million on GroupMe - Aug 22, 2011
  • Top 20 VoIP Innovators of All Time - Jun 13, 2011
  • Jabra SPEAK 410 Review - Apr 21, 2011
  • ClearOne Launches Speakerphones For Microsoft Lync & Skype - Feb 28, 2011
  • TrackBacks | Comments | Tag with | VoIP & Gadgets Blog Home | Permalink: Skype Responds to IP Address Privacy Vulnerability

    [ Back To's Homepage ]

    Technology Marketing Corporation

    35 Nutmeg Drive Suite 340, Trumbull, Connecticut 06611 USA
    Ph: 800-243-6002, 203-852-6800
    Fx: 203-866-3326

    General comments:
    Comments about this site:


    © 2017 Technology Marketing Corporation. All rights reserved | Privacy Policy