From the Security Experts

May 02, 2012

Flaw in Skype 5.5 Allows Hackers to Capture Users' IP Addresses

By Contributing Writer

A tool recently published on Pastebin allows hackers to infiltrate Skype 5.5. Hackers can see anyone’s vCard, get the person’s real user IP address and obtain their PC’s internal network card’s IP address.

“This is an ongoing, industry-wide issue faced by all peer-to-peer software companies,” Adrian Asher, Skype's director of product security, told TechNewsWorld. “We are committed to the safety and security of our customers and we are taking measures to help protect them.”

According to researchers, the flaw could allow hackers to obtain users’ locations, digital files and identities. By tracking Skype accounts combined with geo-locator services, researchers were able to construct a user’s activities even when the person hadn’t used Skype for 72 hours.

To construct a person’s habits and whereabouts for weeks or months without the target’s knowledge, hackers could call the person over Skype and terminate the call immediately. They could also discover the digital files downloaded by the hacker by combining the Skype attack with the target’s file sharing activities over sites like BitTorrent.

By linking the data from VoIP systems to personal information on social media sites, marketers could create profiles on large numbers of people. In fact, marketers could track up to 10,000 people for about $500 per month.

“There's a lot more at risk than simply IP disclosure,” said Randy Abrams, a security consultant. “The ability to redirect to another Web page implies the ability to frame someone for accessing child pornography, among other non-trivial attacks, for example.”

Researchers who investigated the Skype flaw have suggested several tactics for sealing the breach.

First, VoIP service providers could prevent an IP address from being revealed to callers unless the recipient actually answers the call. Second, users could block calls from anyone not on their contact list. This, according to researchers, was basically the concept of Caller ID in reverse.

Finding someone’s location and ISP through their IP address is as simple as using a service like Whois, which provides information on registered users or assignees of domain names or IP address blocks. According to researchers, the hack could be perpetuated by a sophisticated hacker of high school age.

Edited by Braden Becker