Researchers have uncovered a major security flaw which allows outsiders to link a Skype account to a user’s download activity on BitTorrent. The exploit works without the knowledge of the victims and also allows outsiders to see the travel patterns of Skype users. The vulnerability opens the door for scammers to blackmail or defraud Internet users, the researchers say, and thus far Skype has shown no interest in releasing a fix.
A new paper published by a group of researchers from Europe and the United States shows that it’s possible to find out what files Skype users are downloading on BitTorrent. The paper titled “I Know Where You are and What You are Sharing” further shows that the exploit allows outsiders to track the locations of Skype users.
The researchers found a way to call Skype users without them noticing. This means that a hacker can call someone and obtain their IP-address, all without being noticed. This IP-address can then be linked to a geographical location and even specific BitTorrent users.
The exploit works on a massive scale and the researchers were able to schedule hourly calls to tens of thousands of Skype users. What makes things even worse is that Skype’s privacy settings are unable to block these attacks. Attackers can contact whoever they want, whether they are listed in their contact list or not.
The researchers conducted an experiment where they tied 400 Skype users to specific downloads on BitTorrent by using publicly availably data scraped from the BitTorrent DHT network. Many of these users shared their full contact details including their full name, city and country. This combination of information can then be used for all sorts of nefarious purposes.
“We believe this could be used by various people to stalk, blackmail, or defraud Internet users in general and P2P filesharing users in particular,” Keith Ross of the Polytechnic Institute of New York University said in a comment.“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services.”
“A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”
The researchers were very careful to protect the privacy of the people they targeted, but others may not be so considerate. One would expect that, because of the immense privacy implications, Skype would be eager to fix this issue but this is not the case.
“We contacted Skype almost one year ago but the attack is still effective,” researcher Stevens Le Blond told TorrentFreak. Aside from Skype some of the flaws uncovered by the researchers also affect other real-time P2P communication systems such as Google Talk and MSN Messenger.
The authors of the paper, Stevens Le Blond of the Max Planck Institute for Software Systems, Chao Zhang and Keith Ross of NYU-Poly, and Arnaud Legout and Walid Dabbous of the French research institute INRIA offer several recommendations on how the security issues can be addressed. These and other findings will be presented at the Internet Measurement Conference in Berlin next month.