Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security IT

Hackers Can Silently Grab Your IP Through Skype (404media.co) 56

Slash_Account_Dot writes: Hackers are able to grab a target's IP address, potentially revealing their general physical location, by simply sending a link over the Skype mobile app. The target does not need to click the link or otherwise interact with the hacker beyond opening the message, according to a security researcher who demonstrated the issue and successfully discovered my IP address by using it. Yossi, the independent security researcher who uncovered the vulnerability, reported the issue to Microsoft earlier this month, according to Yossi and a cache of emails and bug reports he shared with 404 Media. In those emails Microsoft said the issue does not require immediate servicing, and gave no indication that it plans to fix the security hole. Only after 404 Media contacted Microsoft for comment did the company say it would patch the issue in an upcoming update.
This discussion has been archived. No new comments can be posted.

Hackers Can Silently Grab Your IP Through Skype

Comments Filter:
  • by HBI ( 10338492 ) on Monday August 28, 2023 @09:43AM (#63803134)

    I really thought it was dead.

    • by somejng ( 6410162 ) on Monday August 28, 2023 @09:51AM (#63803166)
      Skype has real time translation of verbal communications and people in Eastern Europe know about it. I use it for verbal chats with Ukrainians because they can talk in russian or ukrainian and i can talk in English - pretty cool! For text chats, the translation in Telegram is a lot better.
    • You could always ask Microsoft how that $8.5 Billion investment is working out. =P

      Microsoft LOVES to re-invent chat. [versionmuseum.com]

      * V-Chat
      * NetMeeting
      * Meeting Space
      * MSN Messenger
      * Office Live Meeting
      * Skype
      * Microsoft Teams

      • by HBI ( 10338492 )

        The interesting part is that they are generally just looking for a new profit center, rather than re-inventing chat as a goal. Teams is the only thing on the list that fit the bill. The current layoffs were held off for almost 2 years as a result of the windfall profits from Teams implementation.

    • I gave up on it when they deliberately broke the app and custom webcam on my TV. Facetime FTW.

  • by Opportunist ( 166417 ) on Monday August 28, 2023 @09:44AM (#63803142)

    First, anyone who operates a server can know your IP address. It's not exactly top secret information.

    Second, who the hell still uses Skype?

    • Attackers don't normally operate MS Skype servers. Oughtta be proxied.
    • by znrt ( 2424692 )

      First, anyone who operates a server can know your IP address. It's not exactly top secret information.

      first of first, not without me knowing it and starting the interaction. you should be able to appreciate that exploiting a crappy ms app on my phone that misbehaves without me even being aware is an entirely different issue..

      second of first, an ip address can indeed be very sensitive information depending on the context. besides that isn't the point.

      Second, who the hell still uses Skype?

      so first of second, that isn't the point either, it's still a live and maintained product with a gaping hole that should be patched. this is actually newsworthy

    • Second, who the hell still uses Skype?

      My dad and his ham radio buddies. He talks with a guy in England and Germany using Skype on his PC. There are others as well from the U.S. and other countries, just not as often.

      I am dreading the day Microsoft kills off Skype and forces them onto Teams or something similar.
  • Anyone who can get your identity and location from this doesn't need to.

    I have a southern Ontario IP address - which doesn't even show the correct city when you look it up on a geolocation service, because it's registered to the offices of the provincial ISP that issued it to me.

    Good luck finding me to do me ill when the location is effectively 'Toronto, +/- 100km'. I'm still fairly anonymous as 1 of 13 million people in the region. Even if you dropped a mid-sized nuke you'd have to get lucky to take me

    • by jwhyche ( 6192 )

      Anyone who can get your identity and location from this doesn't need to.

      This is one of the reasons I started using a VPN service. I'm really not worried about what my ISP is tracking or law enforcement. I'm more concerned about the random internet wack job than I am those agencies. With a VPN my address comes from a random city hundreds of miles from where my ass is.

    • IP address is useful for cyber attacks, not geolocation. Considering how fat MS Skype serverside seems to be, there's no good reason why MS shouldn't proxy everything.
    • I used to work for a company that had a popular chat program. We didn't care when some kid figured out how to get the IP of other people in the chat. Then he started sending a "ping of death" to those he didn't like. It doesn't matter where your victim is; you can definitely mess with someone when all you have is their IP.
    • by znrt ( 2424692 )

      good luck with that anonymity! ;-)

      your ip is still a valid target, or a valid vector for a target. furthermore. besides your ip address identifies you personally at any point in time on isp and vpn records, you are anonymous as long as nobody looks for you, and thus your ip is information that at best shouldn't be divulged and kept on a "need to know" level. this has nothing to do with obscurity, but with common sense. just as publicly posting your ssn in the us can easily get you into lots of trouble, but

    • by Junta ( 36770 )

      Anecdote about geo location, last time I got a "new sign in from" it reported a location 600 miles away from me, and that's without me trying to obfuscate or anything.

      Of course, 9 times out of 10 the geo location based on IP nails my city, so narrows down to about a quarter million.

    • Good luck finding me to do me ill when the location is effectively 'Toronto, +/- 100km'.

      My situation is similar. I live in Trinidad, CO, but my IP is up around Colorado Springs, over 100mi away because I'm on DSL and that's where the first router I go through is. Considering how mountainous the area is, I doubt that dropping Tsar Bomba on the router would reach me.
    • by gweihir ( 88907 )

      Indeed. IP addresses are not valid secrets to protect anything. Ist this about Windows "security" getting even more laughable or what?

      Incidentally, my IP here gets "geolocated" about 300km away.

    • Kinda problem. I helped track down and service a guy as a personal favor to a close friend. We knew there were maybe 7 places in the world they were likely to be. Within those 7 places it would pretty much identify which group of people they would be hanging out with and make it trivial to locate them based on other information we had. So I did manage to yank his ip address from an email that he sent out trying to taunt my friend ( sent stupidly from his pc... ) , then from that locating him was pretty sim
  • ... to start paying 404 Media for PO work?
  • by OrangeTide ( 124937 ) on Monday August 28, 2023 @10:00AM (#63803198) Homepage Journal

    Technically it's not my IP, it's my ISP's and comes out of a randomly assigned pool. But thank you for playing.

    Fun fact, if you visit my website I also know your IP. Elite hackers can also try random IPs (like a war dial) until they find something interesting on the other end.

    • Re:Ackchyually (Score:4, Informative)

      by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Monday August 28, 2023 @11:44AM (#63803516)

      I think the "vulnerability" is because of Skype (and many other chat clients) link preview functionality.

      You know, you paste a link in a chat group - be it Discord, Skype, Slack, or whatever, and you get a little blurb about the destination of that link. Perhaps you get a image, and a few lines of context and the title.

      Sometimes it's extra fancy - you paste a YouTube link and a YouTube embedded player appears in its place. You paste something from Threads or X, and the entire thing shows up.

      Of course, to do that requires someone somewhere actually retrieve the link and parse it out. Centralized systems like Discord, the Discord server fetches the link and generates the preview (otherwise a busy server might have hundreds of people hammering the link to do the preview).

      Since Skype is probably more point to point rather than to a crowd, I would expect the leak happens because Skype is doing the preview - so it's fetching the link automatically. Do it with enough parameters and you can identify the target.

      • Yea, I use to do this on IRC. Put a link in the channel to a site where I had access to Apache logs. This was useful if they were on a shell account or otherwise couldn't see their IP. This was back when Smurf attacks [wikipedia.org] were effective ways to grief people.

        (I'm not pretending to be a skilled hacker. Mostly I was being a pain in the ass in order to demonstrate to arrogant people that they weren't quite as anonymous as they assumed)

    • Technically it's not my IP, it's my ISP's and comes out of a randomly assigned pool. But thank you for playing.

      That is a meaningless distinction. It is effectively your IP address for as long as you are using it.

      Also, using a dynamic IP address does not mean that Skype (or any webserver you access) can't use the IP you were assigned for geolocation, which is the threat this article discusses. (You would need to tunnel your traffic through some kind of VPN to obscure that).

    • by gweihir ( 88907 )

      Elite hackers can also try random IPs (like a war dial) until they find something interesting on the other end.

      "Elite" hackers? You mean script babies?

    • With DHCP, your device leased the IP and it belongs to the device until the lease is up. And Skype will reveal each new IP you lease.

  • Can I please, please, "dial" an IP and make a phone call. Fuck your services. Netmeeting, rise!
    • by ls671 ( 1122017 )

      Can I please, please, "dial" an IP and make a phone call. Fuck your services. Netmeeting, rise!

      Already done and functional and uses DNS to map phone numbers to IP but of course, nobody is using it and everybody prefers paying VOIP providers, use skype or what not! See link below:
      https://nickvsnetworking.com/e... [nickvsnetworking.com]

      I had this working with a couple friends but couldn't get anybody else to use it :(

      • Sounds great. I was really just being a jerk saying the thing that NAT prevents. I mean, I will really type in the IP if I could, but phone number could work for me. Hm. I really don't like middle men and the second to the last paragraph of your article kinda says I'd still have to have somebody support it. And frankly, I'm not optimistic about this. Even though I like it--even given the dangers.

        So let me amend my demand: Please let me type in your IPv6 number and simply have a connection that we can do a
        • by ls671 ( 1122017 )

          I really don't like middle men and the second to the last paragraph of your article kinda says I'd still have to have somebody support it. And frankly, I'm not optimistic about this. Even though I like it--even given the dangers.

          Nothing stops you from setting up your own domain name and do the same.

          So let me amend my demand: Please let me type in your IPv6 number and simply have a connection that we can do a vid call with with the software of my and your choosing (possibly different for each of us) over the ISP I am required to accept.

          Already working too. Just install a softphone like linphone and type sip:ipv4/6 to reach the other end, no third party required. The DNS setup is only required to map phone numbers to sip:ipv4/6. That should have been obvious. I do VOIP by the way and it supports video.

          • That should have been obvious.

            Not to me, but I get it now. Telecom is not my thing. Now I can look deeper. Not surprised to find a "back" way. I'm sure it's easier just to sign up for Zoom at the end of the day. But I'm glad I can do it myself if I want. Thanks!

  • Skype is peer-to-peer. As fas as I know, Skype servers are just there to serve as a directory: when your Skype client wants to talk to another Skype client, it gets the IP from the Skype server and then it talks to that IP.

    At least that's my understanding, since the Skype protocol is unpublished, but it's known to be based on Kazaa, which is P2P.

    So yeah, a client sending something to your client will know your IP. That's kind of unavoidable with P2P...

    • by Zak3056 ( 69287 )

      I came here to say the above. "Protocol designed to be peer-to-peer is in fact peer-to-peer and vendor has no plans to "fix." Film at 11."

    • It used to be that way. But they went to central servers about a decade ago, so you aren't as random as you used to be.

    • by Junta ( 36770 )

      Doesn't even matter about whether it's peer to peer or not. He sent a link to a website that he controls the logging for. The "standard" behavior among all chat clients nowadays is to go ahead and connect to the specified URL to render some preview. It's a fairly dumb default (the preview is rarely uselul, but is always big), but it's pervasive, not a "skype" thing in particular.

  • I feel like most messaging platforms with automatic preview by default, or inline image loading enabled do this as a matter of course.

    It'd be good to first time prompt rather than deing it by default (the 'preview the url' feature of messaging and mail clients is generally useless, so I would probably love to be prominently prompted to turn it off anyway.

    • Signal doesn't leak IP addresses, and when you choose to send someone an article from say, the Los Angeles Times, the preview must be rendered on your device prior to transmitting the message.
  • No. Really HOW is this news?

    This is true of any client that interacts with public content, be it mail, your browser or your fricken toaster, (if you decided you can't function without an IoT toaster)

    Did some "researcher" just discover how the Internet works?

    • by gweihir ( 88907 )

      Sounds like it. I mean, IPs are not secrets and should not be. If your security is so bad that you need to keep your IP addresses secret, you are doing it wrong.

  • When is the next lawsuit for Microsoft? They need another smack down. And soon.

    • by gweihir ( 88907 )

      They need to die. Nothing else will fix the massive mess the have created and that is getting worse.

  • by gweihir ( 88907 )

    People can get my IP by doing a domain lookup when they know my name. What is the big deal? Has windows "security" gotten so bad that users of that crap now need to keep their IPs secret?

  • In order to "silently grab [my] IP" using Skype, it would mean that I would have to have that infernal piece of shit installed on any device I own, and actually have that service loaded.

    I have a feeling that might be pretty hard for someone to remotely accomplish, if they haven't already "grabbed my IP" which isn't secure information anyway.

    What a dumb fucking story. If your security depends on someone not being able to find your public IP, you have absolutely no security at all.

Make sure your code does nothing gracefully.

Working...