Skype security flaw leaves user locations vulnerable

Users of Skype may be inadvertently putting themselves at risk of having their physical location and other personal details stolen, experts warn.

Users of the world’s most popular Internet telephony service may be inadvertently putting themselves at risk of having their physical location and other personal details stolen, experts warn.

Tracking the Skype activities of 20 volunteers and a random sample of 10,000 other users over two weeks, researchers at New York University’s Polytechnic Institute found hackers could not only discover where each user placed each call, but also their peer-to-peer (P2P) file-sharing activity. Their findings were published last month and reported by security software provider Symantec Corp. on Thursday.

“A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud,” Keith Ross, professor of computer science at NYU-Poly, warns in a news release.

Even if a user does not log into Skype for as much as 72 hours their information is still accessible, the researchers said. Malicious callers do not need to be on a users contact list to track their location and the data can even be obtained if the user configures their Skype account to block calls from non-contacts.

In one example described in their findings, the researchers were able to accurately follow one of their 20 volunteers from New York to a vacation in Chicago, a return to a New York, lodging in Brooklyn, then home to France.

“If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the authors said.

In another experiment, the researchers compared the most popular downloads on commonly-used P2P services such as BitTorrent, eMule and Xunlei. Once they had discovered a user’s IP address (which allows them to find a users physical location through their Internet Service Provider or ISP) through Skype, the researchers were able to determine which files had been transferred to that address.

“A fairly straightforward and inexpensive fix would prevent hackers from taking the critical first step in this security breach – that of obtaining users’ IP addresses through inconspicuous calling,” the authors conclude.

Skype, which was acquired for US$8.5-billion in cash by Microsoft Corp. seven months ago, proclaims itself as the world’s largest voice over Internet protocol (VoIP) provider. More than 600 million people have registered for the service since it was launched in 2003 and Skype reportedly accounts for 20% of all overseas voice calls.

“Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP addresses,” Adrian Asher, chief information security officer, told the Financial Post in an emailed statement.

“Through research and development, we will continue to make advances in this area and improvements to our software.”