Hackers Can Silently Grab Your IP Through Skype (404media.co) 56
Slash_Account_Dot writes: Hackers are able to grab a target's IP address, potentially revealing their general physical location, by simply sending a link over the Skype mobile app. The target does not need to click the link or otherwise interact with the hacker beyond opening the message, according to a security researcher who demonstrated the issue and successfully discovered my IP address by using it. Yossi, the independent security researcher who uncovered the vulnerability, reported the issue to Microsoft earlier this month, according to Yossi and a cache of emails and bug reports he shared with 404 Media. In those emails Microsoft said the issue does not require immediate servicing, and gave no indication that it plans to fix the security hole. Only after 404 Media contacted Microsoft for comment did the company say it would patch the issue in an upcoming update.
Are people still using Skype? (Score:5, Funny)
I really thought it was dead.
Re: Are people still using Skype? (Score:5, Interesting)
Re: Are people still using Skype? (Score:4, Insightful)
I'm not a Democrat, but anyone who "talks about Ukraine's provocation of Russia prior to the war" *is* a Russian asset or an idiot.
Re: (Score:2)
You could always ask Microsoft how that $8.5 Billion investment is working out. =P
Microsoft LOVES to re-invent chat. [versionmuseum.com]
* V-Chat
* NetMeeting
* Meeting Space
* MSN Messenger
* Office Live Meeting
* Skype
* Microsoft Teams
Re: (Score:2)
The interesting part is that they are generally just looking for a new profit center, rather than re-inventing chat as a goal. Teams is the only thing on the list that fit the bill. The current layoffs were held off for almost 2 years as a result of the windfall profits from Teams implementation.
Re: (Score:2)
I gave up on it when they deliberately broke the app and custom webcam on my TV. Facetime FTW.
So what? (Score:3)
First, anyone who operates a server can know your IP address. It's not exactly top secret information.
Second, who the hell still uses Skype?
Re: (Score:3)
Re: (Score:2)
"peer-to-peer key exchange" without knowledge and consent? yes, indeed, that would be an exploit.
except that's not what is happening here.
Because Microsoft has not fixed it, 404 Media is not explaining the specifics of the vulnerability in great detail. But it is trivially easy to exploit and involves changing a certain parameter related to the link.
it's a leak.
Re: (Score:1)
it's a leak.
No. Having a client load content derived rom a compromised source is NOT A LEAK.
That's how content is delivered. This is like claiming those infectious adverts plastered all over farcebook are a "leak".
IPs are public. It's what makes them routable.
Re: (Score:2)
Haven't you heard of WHOIS? possibly not, since it's the roaring white heat of 1970s technology.
Taking your UID as an IP, 10485446 goes to 104.85.44.6 and WHOIS (that IP) tells me that you are
Hmmm, maybe not a good example. But generally IP addresses can be tra
Re: (Score:2)
First, anyone who operates a server can know your IP address. It's not exactly top secret information.
first of first, not without me knowing it and starting the interaction. you should be able to appreciate that exploiting a crappy ms app on my phone that misbehaves without me even being aware is an entirely different issue..
second of first, an ip address can indeed be very sensitive information depending on the context. besides that isn't the point.
Second, who the hell still uses Skype?
so first of second, that isn't the point either, it's still a live and maintained product with a gaping hole that should be patched. this is actually newsworthy
Re: (Score:2)
My dad and his ham radio buddies. He talks with a guy in England and Germany using Skype on his PC. There are others as well from the U.S. and other countries, just not as often.
I am dreading the day Microsoft kills off Skype and forces them onto Teams or something similar.
Really not a problem (Score:2)
Anyone who can get your identity and location from this doesn't need to.
I have a southern Ontario IP address - which doesn't even show the correct city when you look it up on a geolocation service, because it's registered to the offices of the provincial ISP that issued it to me.
Good luck finding me to do me ill when the location is effectively 'Toronto, +/- 100km'. I'm still fairly anonymous as 1 of 13 million people in the region. Even if you dropped a mid-sized nuke you'd have to get lucky to take me
Re: (Score:3)
Anyone who can get your identity and location from this doesn't need to.
This is one of the reasons I started using a VPN service. I'm really not worried about what my ISP is tracking or law enforcement. I'm more concerned about the random internet wack job than I am those agencies. With a VPN my address comes from a random city hundreds of miles from where my ass is.
Re: (Score:2)
Yes: Really a problem (Score:3)
Re: (Score:2)
good luck with that anonymity! ;-)
your ip is still a valid target, or a valid vector for a target. furthermore. besides your ip address identifies you personally at any point in time on isp and vpn records, you are anonymous as long as nobody looks for you, and thus your ip is information that at best shouldn't be divulged and kept on a "need to know" level. this has nothing to do with obscurity, but with common sense. just as publicly posting your ssn in the us can easily get you into lots of trouble, but
Re: (Score:2)
Anecdote about geo location, last time I got a "new sign in from" it reported a location 600 miles away from me, and that's without me trying to obfuscate or anything.
Of course, 9 times out of 10 the geo location based on IP nails my city, so narrows down to about a quarter million.
Re: (Score:2)
My situation is similar. I live in Trinidad, CO, but my IP is up around Colorado Springs, over 100mi away because I'm on DSL and that's where the first router I go through is. Considering how mountainous the area is, I doubt that dropping Tsar Bomba on the router would reach me.
Re: (Score:2)
Indeed. IP addresses are not valid secrets to protect anything. Ist this about Windows "security" getting even more laughable or what?
Incidentally, my IP here gets "geolocated" about 300km away.
Re: (Score:2)
Re: (Score:2)
There are hundreds of easier more accurate ways to find someone than an IP. Public record search will reveal enough information about someone to catch them at home or on the job.
But what information do you assume the attacker already has here?
Time for Microsoft... (Score:2)
Ackchyually (Score:3)
Technically it's not my IP, it's my ISP's and comes out of a randomly assigned pool. But thank you for playing.
Fun fact, if you visit my website I also know your IP. Elite hackers can also try random IPs (like a war dial) until they find something interesting on the other end.
Re:Ackchyually (Score:4, Informative)
I think the "vulnerability" is because of Skype (and many other chat clients) link preview functionality.
You know, you paste a link in a chat group - be it Discord, Skype, Slack, or whatever, and you get a little blurb about the destination of that link. Perhaps you get a image, and a few lines of context and the title.
Sometimes it's extra fancy - you paste a YouTube link and a YouTube embedded player appears in its place. You paste something from Threads or X, and the entire thing shows up.
Of course, to do that requires someone somewhere actually retrieve the link and parse it out. Centralized systems like Discord, the Discord server fetches the link and generates the preview (otherwise a busy server might have hundreds of people hammering the link to do the preview).
Since Skype is probably more point to point rather than to a crowd, I would expect the leak happens because Skype is doing the preview - so it's fetching the link automatically. Do it with enough parameters and you can identify the target.
Re: (Score:2)
Yea, I use to do this on IRC. Put a link in the channel to a site where I had access to Apache logs. This was useful if they were on a shell account or otherwise couldn't see their IP. This was back when Smurf attacks [wikipedia.org] were effective ways to grief people.
(I'm not pretending to be a skilled hacker. Mostly I was being a pain in the ass in order to demonstrate to arrogant people that they weren't quite as anonymous as they assumed)
Re: (Score:2)
Technically it's not my IP, it's my ISP's and comes out of a randomly assigned pool. But thank you for playing.
That is a meaningless distinction. It is effectively your IP address for as long as you are using it.
Also, using a dynamic IP address does not mean that Skype (or any webserver you access) can't use the IP you were assigned for geolocation, which is the threat this article discusses. (You would need to tunnel your traffic through some kind of VPN to obscure that).
Re: (Score:2)
Elite hackers can also try random IPs (like a war dial) until they find something interesting on the other end.
"Elite" hackers? You mean script babies?
Re: (Score:2)
With DHCP, your device leased the IP and it belongs to the device until the lease is up. And Skype will reveal each new IP you lease.
Please? (Score:2)
Re: (Score:2)
Can I please, please, "dial" an IP and make a phone call. Fuck your services. Netmeeting, rise!
Already done and functional and uses DNS to map phone numbers to IP but of course, nobody is using it and everybody prefers paying VOIP providers, use skype or what not! See link below:
https://nickvsnetworking.com/e... [nickvsnetworking.com]
I had this working with a couple friends but couldn't get anybody else to use it :(
Re: (Score:2)
So let me amend my demand: Please let me type in your IPv6 number and simply have a connection that we can do a
Re: (Score:2)
I really don't like middle men and the second to the last paragraph of your article kinda says I'd still have to have somebody support it. And frankly, I'm not optimistic about this. Even though I like it--even given the dangers.
Nothing stops you from setting up your own domain name and do the same.
So let me amend my demand: Please let me type in your IPv6 number and simply have a connection that we can do a vid call with with the software of my and your choosing (possibly different for each of us) over the ISP I am required to accept.
Already working too. Just install a softphone like linphone and type sip:ipv4/6 to reach the other end, no third party required. The DNS setup is only required to map phone numbers to sip:ipv4/6. That should have been obvious. I do VOIP by the way and it supports video.
Re: (Score:2)
That should have been obvious.
Not to me, but I get it now. Telecom is not my thing. Now I can look deeper. Not surprised to find a "back" way. I'm sure it's easier just to sign up for Zoom at the end of the day. But I'm glad I can do it myself if I want. Thanks!
Why is this a surprise? (Score:2)
Skype is peer-to-peer. As fas as I know, Skype servers are just there to serve as a directory: when your Skype client wants to talk to another Skype client, it gets the IP from the Skype server and then it talks to that IP.
At least that's my understanding, since the Skype protocol is unpublished, but it's known to be based on Kazaa, which is P2P.
So yeah, a client sending something to your client will know your IP. That's kind of unavoidable with P2P...
Re: (Score:2)
I came here to say the above. "Protocol designed to be peer-to-peer is in fact peer-to-peer and vendor has no plans to "fix." Film at 11."
Re: (Score:3)
It used to be that way. But they went to central servers about a decade ago, so you aren't as random as you used to be.
Re: (Score:3)
Doesn't even matter about whether it's peer to peer or not. He sent a link to a website that he controls the logging for. The "standard" behavior among all chat clients nowadays is to go ahead and connect to the specified URL to render some preview. It's a fairly dumb default (the preview is rarely uselul, but is always big), but it's pervasive, not a "skype" thing in particular.
Is this really that unique to Skype? (Score:2)
I feel like most messaging platforms with automatic preview by default, or inline image loading enabled do this as a matter of course.
It'd be good to first time prompt rather than deing it by default (the 'preview the url' feature of messaging and mail clients is generally useless, so I would probably love to be prominently prompted to turn it off anyway.
Re: (Score:2)
How is this "news"? (Score:1)
No. Really HOW is this news?
This is true of any client that interacts with public content, be it mail, your browser or your fricken toaster, (if you decided you can't function without an IoT toaster)
Did some "researcher" just discover how the Internet works?
Re: (Score:2)
Sounds like it. I mean, IPs are not secrets and should not be. If your security is so bad that you need to keep your IP addresses secret, you are doing it wrong.
Duh. And Microsoft forces integration still. (Score:2)
When is the next lawsuit for Microsoft? They need another smack down. And soon.
Re: (Score:2)
They need to die. Nothing else will fix the massive mess the have created and that is getting worse.
Soo? (Score:2)
People can get my IP by doing a domain lookup when they know my name. What is the big deal? Has windows "security" gotten so bad that users of that crap now need to keep their IPs secret?
No, they cannot. (Score:2)
In order to "silently grab [my] IP" using Skype, it would mean that I would have to have that infernal piece of shit installed on any device I own, and actually have that service loaded.
I have a feeling that might be pretty hard for someone to remotely accomplish, if they haven't already "grabbed my IP" which isn't secure information anyway.
What a dumb fucking story. If your security depends on someone not being able to find your public IP, you have absolutely no security at all.