A design flaw in Skype exposes users’ IP addresses to anyone with an individual user name and a “skype resolver” hacker tool.
This IP address privacy vulnerability allows hackers to geographically track and harass Skype users, and opens the door to a variety of other security issues such as denial-of-service attacks (DoS attacks).
Access to Skype has been a contributing factor to many democracy movements in recent years, allowing journalists and activists to be anonymous and circumvent a battery of physical controls and wiretaps on traditional telephones. Now this freedom – and their IP addresses – is open to attack. The IP address is a numeric code assigned to each device on the internet which enables it to send and receive data. Researchers have been able to track people within 700 meters by analyzing their IP addresses.
Your IP address is almost public knowledge
While Skype’s IP address vulnerability has been known for several years, the ability of hackers to misuse it has increased dramatically thanks to “skype resolvers,” wrote Brian Krebs on his award-winning KrebsOnSecurity blog recently. Skype resolvers are simple online tools that take the Skype user name and respond back in minutes with the user’s most recent IP address and country of origin.
Resolver tools are often paired with a “booters” moneymaking tool–online attack tools that can be hired to launch denial-of-service attacks on targeted sites. These attacks range from the recent attacks on JP Morgan Stanley to smaller-scale attacks that knocked KrebsOnSecurity and Ars Technica offline. As Krebs pointed out, resolvers work regardless of any privacy settings users have selected in Skype’s program configuration panel.
Use the privacy option
Most of us aren’t concerned about getting knocked off the internet with a DoS attack. But we do like to control who can see where we are and what we are doing on the internet. And when it comes to this Skype vulnerability, users like myself have a choice: We can use a normal computer connection – either cable broadband or WiFi – and reveal our current IP address. Or, we can use a free VPN service like Hotspot Shield VPN to hide our IP address and location from Skype resolvers.
I tested a Skype resolver tool and found out that it correctly identified my IP address and geographic location. But after turning on my Hotspot Shield VPN client, the resolver showed—based on the temporary IP address given to me by Hotspot Shield–that I was somewhere in San Jose, California…about half a globe away from my physical location in Central Europe.
While we can’t fix this Skype vulnerability, we can choose whose IP address to reveal. My choice is clear.
Lyle Frink on Google+