Skype flaw can reveal users' identity, location, filesharing habits

By on October 20, 2011, 6:30 PM

Security researchers have revealed vulnerability that could allow an attacker to identify a person, track their location and monitor their filesharing habits. In a paper titled "I Know Where You are and What You are Sharing: Exploiting P2P Communications to Invade Users' Privacy," the experts draw attention to real-time communication applications such as Skype.

The group discovered how to call Skype users without them realizing, allowing the caller to secretly nab someone's IP address. This is accomplished by blocking certain packets and quickly terminating the call before the recipient is alerted. It can performed even if the victim is connected behind an NAT firewall or if they specifically block calls from non-contacts.

An IP address can be geolocated with relative precision and many users connect from mobile devices, so an attacker could perform that stealth call and track someone's rough whereabouts over any given duration. The researchers tracked one volunteer from a New York university to Chicago, back to the school and Brooklyn lodging, then to his home in France.

Once you have someone's Skype identity, it's generally not hard to find them on other social platforms such as Facebook or LinkedIn. Among other things, this could reveal more details about your location. "If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when," the authors said.

One could easily discover a victim's name, age, address, profession, employer and more. The researchers specifically noted that this could be abused by marketers to create an inexpensive profile database on targets. They estimated that it would cost a marketer $500 a week or less to track 10,000 users -- but the flaw has deeper implications than that.

In an experiment, the researchers scanned the top 50,000 BitTorrent files and linked 400 Skype users to downloads. Again, Skype users often share their full contact details, including their name and location. We doubt this information would (could?) be used by copyright regulators in court, but plenty of unsavory individuals would surely take advantage.

"We believe this could be used by various people to stalk, blackmail, or defraud Internet users in general and P2P filesharing users in particular," said Keith Ross of the Polytechnic Institute of NYU. "These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services."

"A hacker anywhere in the world could easily track the whereabouts and filesharing habits of a Skype user -- from private citizens to celebrities and politicians." The researchers notified Skype about the issue nearly a year ago but it hasn't been resolved. They plan to present their paper at the Internet Measurement Conference 2011 in Berlin on November 2.

User Comments: 10

Got something to say? Post a comment
Guest said:

skype has always had these sorts of issues, hopefully microsoft, or whichever company bought it will fix it.

spydercanopus spydercanopus said:

How about the adware behavior in the last couple months where Skype will open a webpage within your browser with specials every time you reboot?

Guest said:

just when you thought it was safe to go back on the net, you find out you have to wear a bigger thicker tin-foil hat

IvanAwfulitch IvanAwfulitch said:

An exploit that allows people like law enforcement and government officials to track you and potentially catch you doing something illegal.

And you honestly believe that a flaw like that is unintentional.


Gars Gars said:

about the Skype Home popup

im using KSH (KillSkypeHome) for a several months

find it very useful, especially the Nuke function

on the topic,

the news is very disturbing but not surprising at all

Kibaruk Kibaruk, TechSpot Paladin, said:

I feel violated =s

Guest said:

Not that surprising, though since Microsoft has bought it I'm sure that will resolve some of these issues. I don't leave Skype running all the time, only when I need to make a call. I don't use Facebook, so no need to worry there.

Guest said:

There is a security loop hoe in Skype? Yikes, don't tell everybody. That is like announcing that somebody has a bad habit of keeping their car door unlocked and keys in the ignition in the newspaper. Someone might get a "good" idea.

Keep it a secret until it is resolved.

gLitCh32 said:

Announcing it will speed up the process because it puts pressure on them. I think that's a good thing, besides, they told Skype a year ago?? That should be plenty of time!

spydercanopus spydercanopus said:

IvanAwfulitch said:

An exploit that allows people like law enforcement and government officials to track you and potentially catch you doing something illegal.

There ALWAYS seems to be an easily accessible, but little known exploit lately. Probably part of UN Agenda 21.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.