Yesterday it was reported that a simple script could expose any Skype user’s IP address. A Microsoft representative saw my article and gave me this official response, which they also provided to other media outlets:
“We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”
Adrian Asher, director of product Security, Skype
It’s a bit of a non-answer if you ask me. True, P2P by its very nature is going to create connections between your computer/mobile and your ‘target’ computer/mobile. As such, it’s not difficult to determine what IP addresses you are connecting to.
However, Skype leverages supernodes for a large portion of their infrastructure. I believe the supernodes handle authentication as well as call setup (or IM setup). So these supernodes act as an intermediary (proxy) between peer1 (your computer) and peer2 (target computer).
Thus, I wouldn’t expect peer1 to see peer2’s IP address. Apparently, this vulnerability leverages the search feature in Skype and viewing their vcard info and presence (online/offline). My guess is that Skype queries the supernodes when searching for a Skype user, but then once it find the user, it sets up a direct P2P session between your computer and the Skype user you searched for and pulls the relevant vcard / presence information. Game, Set, Match! IP address exposed!
If my assumptions are correct, I can see why Skype set it up this way. If they use supernodes to also “pull” the vcard and presence information, that’s an additional load on the supernodes. I’m fairly sure, but not positive that your existing Skype buddies also make a direct P2P connection with each buddy to pull presence information, which also would expose IP addresses. But if you have 100 buddies, trying to figure out which 1 out of 100 buddies is their IP address would be difficult. If Skype made a technical change forcing each Skype client to pull presence info via supernodes (pseudo proxy) instead of direct P2P connections, that would drastically impact performance of the Skype network. This may be a huge architectural change to solve this IP address vulnerability.
However, Skype could simply change their search function to use supernodes (mask IP addresses) and allow the Skype client to query their buddies using P2P (IP addresses can be determined). At least this would block any non-buddy from determining your IP address. I may be wrong in my technical assessment, so I will reach out to Skype for further comment on this. Stay tuned…
Copyright VoIP & Gadgets Blog