May 24, 2013

A few months ago, I warned readers that a glaring privacy weakness in voice-over-IP telephony service Skype allows anyone using the network to quickly learn the Internet address of any other Skype user. A new beta version of the popular Microsoft program appears to have nixed that privacy leak with a setting that restricts this capability to connections in your Skype contacts only.

A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4

A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4

As I wrote on March 21, 2013,  number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.

The resolvers can look up the IP address of any Skype user — whether or not that user is in your contacts list or even online at the time of the lookup. What’s more, resolver services frequently are offered in tandem with “booter” or “stresser” services, essentially sites that will launch denial-of-service attacks against a target of your choosing.

Apparently in response to this problem, Microsoft has added a new option to its Skype 6.5 Beta, released April 30, that allows users to allow direct connections to your contacts only. The information tab on this option, found under Skype->Options->Connection, says “When you call someone who isn’t a contact, we’ll keep your IP address hidden.”

I pinged Microsoft for an answer as to whether this feature was designed to plug the privacy leak exposed by resolver services. The company declined to say specifically what it may have changed about the Skype network and/or its software to address this problem, but it attributed the following emailed statement to a “Skype spokesperson;”

“Skype for Windows Beta 6.5 and Mac 6.4 now offer the option to prevent people not on your contact list from viewing your IP address. With this beta program, only your contacts will be able to access this information. We are allowing users to test this new security function and welcome any feedback as we continue to improve the communication experiences on Skype.”

I tested this beta version of Skype against a free Skype resolver service that has been reliable in the past at looking up IP addresses tied to specific Skype accounts. When I ran it against my everyday account using and older version of Skype, it successfully found my home IP. When I created a new Skype account with the Skype 6.5 beta on a separate machine, enabled the privacy feature and then tried the lookup again, it failed to locate my IP.

I should note that some Skype resolvers will cache previous lookups. That means if your Skype username has previously been looked up at a Skype resolver service, that service may show the correct IP for your Skype username if your IP address hasn’t changed since the last lookup.


30 thoughts on “Skype Beta Plugs IP Resolver Privacy Leak

  1. Frank Sudia

    To be of help to the average user, this should be an opt-out, not an opt-in. As an opt-in, it will remain a massive privacy violation for the foreseeable future.

    1. Julius Kivimäki

      I really wonder how is the “leak” of an IP-address a “privacy violation”. You know that internet kind of relies on those being public to function, right?

      1. dtb

        Any product that allows direct end to end connections or communications by definition have to expose both the source and destination IP addresses. I get your IP address when you send me an email, why not a phone call?

        1. AlphaCentauri

          Because you don’t have to have any known contact with that person. Think about a woman being stalked by someone she wishes no contact with. No matter where she moves, he can find her general location if she uses Skype, and she doesn’t even know he’s doing it.

          1. BrianKrebs Post author

            Or a “rebel’ in Syria that is fighting against the government and is tracked every time he logs on somewhere because he’s using Skype.

            1. lol

              That is the worst possible example. What is actually happening here is that instead of the rebel having a private secure direct connection to whoever he is being connected to a Microsoft server and then to his friend. Skype has now MORE capability to track him, not less and can also give video, sound and I’m logs to the oppressive government.

              1. voksalna

                Part of the wonderful ‘upgrades’ that Microsoft did in 2011 — get rid of the decentralisation of Skype — also let CALEA have a new playground. The feds do not like the ‘dark net’. By centralising everything they permitted far easier monitoring. I actually thought this article was going to be about the recent discovery that URLs being sent in private Skype conversations were being directly accessed by MS.

                1. mbrownnyc

                  Still waiting on jitsi to be as versatile as skype (really handling the NAT traversal issue well, particularly, not sure if they have a free STUN/ICE server up)… in the mean time, there are some publicly accessible xmpp servers that will help with privacy issues: https://dukgo.com/blog/using-pidgin-with-xmpp-jabber and https://help.riseup.net/en/chat

                  With a client that supports ZRTP or other public key crypto stuff (and unless it’s 2050 and the NSA doesn’t yet have a cluster of 256 chip quantum computers, and Brian Snow is right [see PaulDotCom podcast interview), the conversations should be private.

            2. Neej

              Yes fair point but is anyone that values their privacy/anonymity actually using Skype? I know I wouldn’t be …

        2. john senchak

          Getting a I.P. number from a header is dependent on the email service. A online service like fastmail.fm sends out emails using a proxy which gives you a layer or privacy protection

      2. Daniel

        Recently the e-sports scene has been abused by hackers DDoSing specific teams they put bets on so they could win, simply because they could win 100-200USD worth of virtual game items, the current theory is that Skype is the main culprit for revealing IP addresses since it is the defacto standard for team coordination and event organising.

        1. jan

          I know this happened in the online high stakes poker scene. Players A built a very big pot by moving all in, and – by knowledge of opponents IP using skype resolvers – immediately started a DDoS on player B, forcing him to disconnect, not be able to react to the move and thus loosing the hand.

  2. Stratocaster

    Did the “Skype spokesperson” have any information about Skype for mobile devices? Like when you are using a tablet or phone with home Wi-Fi?

  3. john senchak

    You can’t trust Microsoft with privacy issues and you sure can’t depend on them to create a half decent operating systems.

  4. char

    To mitigate this issue even further, you can login to Skype on a mobile device using 4G. That way if the hackers somehow bypass this they will get the IP address of the telecommunications provider.

    What are the benefits of them having your 4G IP?
    1.) It can’t be tracked to you, as many people connect to the 4G towers.
    2.) The IP whois is almost never accurate.
    3.) 4G towers have 10Gbps+ of bandwidth, making it quite a bit harder for them to DDoS you.

  5. Vincent

    I don’t understand how this would “stop” the resolving? This, as described, prevents the caller you’re calling (who is not a contact) from getting your IP address from when you call them. It says that, right there in the options.

    No Skype resolving requires any calling, it is when adding the contact (it’s all available to see, the source code is on Github). In a version of an older Skype, it would reveal the IP address in some sort of log (maybe an error log).

    I do not see this preventing it.

    1. Linkcabin

      Incorrect, the skype resolver usually uses a deobfuscated version of Skype 5.9 and uses this send requests to open the users profile, whether you are a friend or not and find a specific part that finds the IP. No calling or adding a friend is needed. With this, you need to be a friend with someone to use that particular skype to resolve you, making it almost impossible to resolve someones profile.

      Although this is a well deserved update for the Skype community, there are still privacy concerns, such as how easy it is to “jack” someones account from Skype, with the wonderful help of Skype support.

      Regards,
      L!nk

  6. Chris Thomas

    Skype has disincentivised many from updating their Skype clients due to dropping support for webcams such as my Labtec device. So much for encouraging security updates.

    Presumably this is to boost sales in the Skype shop. M$ must be desperate for cash.

    1. voksalna

      They are also pretty cruel to Linux users.

  7. lol

    So instead of more private p2p calling and messaging, what Skype was originally about, we have centralised servers that they can now keep records with. This has been a problem ever since Microsoft aquired skype and now it seems they’ve got what they wanted. With the new Xbox having mics and video always watching and having to connect to the internet once a day they have invaded everyones privacy. I hate to say it Krebs but this is causing a lot more privacy concerns in my opinion.

  8. Wayne

    By clicking on the link to the Skype blog, I see those of us with older OS’s (I use Vista Home Premium w/SP2) are plumb out of luck for the upgrade, huh?

    1. Linkcabin

      I would upgrade anyway, Vista Home Premium SP2 is a nasty operating system. I’d just upgrade to Windows 7.

  9. Baneki Privacy Labs

    Filed in 2009, this is Microsoft’s patent application for breaking the privacy benefits of genuinely peer-to-peer communications topologies by propagating infected route information to Skype clients:

    http://www.cultureghost.net/viewtopic.php?f=28&t=245&p=2827#p2827

    In terms of resolvability of IP during a comms session, of course the idea here is that Microsoft is acting as the functional equivalent of a proxy: stripping the physical IPs of each participant as the data flow through MS-controlled server resources. That means, as others have pointed out, that your conversational partner may not be able to see your physical IP but – definitionally – Microsoft has it. And stores it. And provides it to… well, whoever they feel like providing it to.

    Running Skype over a genuinely effective VPN service should prevent Microsoft from obtaining this local IP knowledge… that is, unless the Skype application itself is capturing it on the local machine and sharing it with MS servers surreptitiously. Which might seem paranoid, if it weren’t congruent with so much else we’ve seen in terms of Skype’s transition from privacy-friendly tool to well-documented snitchware.

    ~ Baneki Privacy Labs

    1. mbrownnyc

      This is a great observation. Note that Skype clients will route messages and video direct to peers via whatever least cost route is available, including any tunnels. However, you can not logon to skype or have your presence propagated to other clients but through MSFT servers (not totally correct as a call or IM should find the route and report your presence). This is why I truly can’t wait for the jitsi devs to implement t ICE. Too bad the likelihood that another peer-to-peer network like Skype (that can leverage the bandwidth of many to route and handle the traffic) is unlikely to rise in its place.

  10. Taras

    I am interested if these security problems with IP discovering can be applied to Skype versions for Linux OS.

    1. jan

      You service doesn’t work anymore: Information – Error: Failed to connect to server “”

Comments are closed.