[German]A security researcher has come across a way to determine the IP address of a Skype user without the target person even having to click on a link (IP address spoofing). This could be used to spy on people (e.g. activists, dissidents, etc.). Microsoft has been contacted by the security researcher about this, but is of the opinion that this vulnerability in Skype does not need to be fixed immediately and wants to take its time with a patch. To my knowledge, however, it currently only affects Skype's mobile apps.
Advertising
We know your IP address
I became aware of the issue via the following tweet from Joseph Cox. A security researcher named Yossi informed Joseph Cox about a vulnerability in Skype that Microsoft refused to fix. In order to verify if the vulnerability has the described impact, Joseph Cox asked for a test. First, the security researcher sent a link to google.com via Skype text chat, the link led to the real Google website and not a fake one.
Although Cox did not tap the link on his iPad, he just viewed the chat message. Then the security researcher was able to send Cox the IP address he was using. Cox wrote that for this first test, he even used a VPN connection to hidethe IP address used – but that doesn't help with Skype.
Then he wanted to check again within a public WLAN network, but without a VPN, whether this vulnerability could be abused and connected. Then he asked the security researcher to send another link. This time, the security researcher sent a link to 404media.co via chat. This was a legitimate link as well. The security researcher then sent Jospeh Cox an IP address again, pointing to the district from which Josph Cox had dialed into the public WLAN and established the Skype session.
Thus, the security researcher had tested the whole thing with links to Google as with links to the 404 Media website. All these links led to the legitimate websites, where no malicious code or similar lurked. However, by making a small change, the security researcher was able to find out the IP address of the Skype target.
Advertising
The problem only affects Skype's mobile applications, the security researcher said. When Cox used the Mac version of Skype, the security researcher could not find out Cox's IP address. The problem is probably that the apps have much more information about users than a web client. A corresponding service must then take technical precautions to isolate the IP address of two Skype partners during a communication, preventing anyone from finding out that IP address of the communication partner. Skype allows a hacker to tap the IP address of its target without the victim's knowledge or consent.
Microsoft takes its time
The issue is now documented by Jospeh Cox on 404mdia.co in the article Hackers Can Silently Grab Your IP Through Skype. Microsoft Is In No Rush to Fix It. The security researcher, reported the problem to Microsoft after its discovery in early August 2023. Microsoft's response via email was probably that the problem does not need to be fixed immediately. In the email exchange between the security researcher and Microsoft (which Cox has), there was no indication that the company planned to fix the vulnerability. It wasn't until Cox then reached out to Microsoft via 404 Media for comment that the company said it would fix the problem in an upcoming update.
Why this is a problem
Of course, the fact is that everyone who visits a website leaves their IP address behind. People therefore turn to anonymizing services like Tor or VPN software to disguise this IP address. But this is not possible with Skype, because the Skype client communicates with Skype's servers. Cox points out in his article that the above fact should pose a serious threat to activists, political dissidents, journalists, and many others.
The IP address can at least be used to identify the part of a city where someone is staying. In a less densely populated area, an IP address can be even more revealing because there are fewer people there who could be associated with it. If law enforcement or regimes know the IP address assigned by the provider, the person in question can be matched to a Skype contact.
Cooper Quintin, a security researcher and senior public affairs technologist at the activist organization Electronic Frontier Foundation (EFF) told Joseph Cox when asked, "I think just about everybody could be harmed by this. " and his biggest concern is "that people's location could be tracked for physical escalations and people's IP address could be tracked for digital escalations." Quintin pointed to the possibility of abuse against dissidents working under pseudonyms. This attack could be used to learn their location and identity.
Advertising
