Thursday, May 3, 2012

Serious Skype privacy bug

All you who use Skype need to know that you do not have much anonymity, and that anyone who knows your Skype handle can trace your location to a couple miles of your actual physical location:
Code posted online that can skim the last known IP address of users is being checked out by Skype as a possible security flaw.

The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online without calling them. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target.
Now, maybe this isn't a big deal for you.  But some people use Skype to keep people from knowing where they are.  If you're one of those, you should reconsider using Skype until there's a fix.

That said, it may not be possible to fix this.  This seems to be a feature that's present in millions of user's copies of the software, and that was "hidden" (intentional use of scare quotes) in an incompetent manner.  The toothpaste may be out of the tube - even if Skype releases a new version that removes this code, someone could keep the capability by simply refusing to upgrade.

Remember, they're not doing anything to your copy of Skype, but rather to theirs.  Once again, if you don't care that people on Skype can tell that you're in East Timbuktu, then this is no big deal.  But if you need your physical location masked from people you talk to then you need to stop using Skype right now.

3 comments:

  1. If you need your IP masked, you need to _not_ depend on other people's tools to keep that information hidden. Tunnel all your traffic through a one-time-use proxy or a tor network. Seriously...I don't need a skype bug to identify the IP addresses of folks I'm talking to through the internet...I can just use netstat.

    Of course, the flip side is that, unless your would-be spies are either feds (who can hit your ISP with a warrant) or mafiosi (who can get someone to break into your ISP and hack the records), knowing your IP address doesn't necessarily say much about you. (My IP address at home will tell a knowledgeable inspector that I live somewhere in the Indiana suburbs of Chicago....which is correct as far as it goes, but so imprecise that if you dropped a nuclear bomb on the likely best guess about my location, I wouldn't even get my windows broken. My IP address at work will tell the same inspector that my office is in Troy, Michigan. Wrong state. Wrong _time zone_. But it is the headquarters of the company that provides my employer's landlord with managed internet service.)

    So the lesson:

    1. Don't trust other people's secret bits to keep you anonymous.
    2. Know what the internet can guess about you...it might be more than you think, but it also might be a lot less.

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.