TorrentFreak

The place where breaking news, BitTorrent and copyright collide

Security Flaw Links BitTorrent Users to Skype Accounts

Researchers have uncovered a major security flaw which allows outsiders to link a Skype account to a user’s download activity on BitTorrent. The exploit works without the knowledge of the victims and also allows outsiders to see the travel patterns of Skype users. The vulnerability opens the door for scammers to blackmail or defraud Internet users, the researchers say, and thus far Skype has shown no interest in releasing a fix.

skypeA new paper published by a group of researchers from Europe and the United States shows that it’s possible to find out what files Skype users are downloading on BitTorrent. The paper titled “I Know Where You are and What You are Sharing” further shows that the exploit allows outsiders to track the locations of Skype users.

The researchers found a way to call Skype users without them noticing. This means that a hacker can call someone and obtain their IP-address, all without being noticed. This IP-address can then be linked to a geographical location and even specific BitTorrent users.

The exploit works on a massive scale and the researchers were able to schedule hourly calls to tens of thousands of Skype users. What makes things even worse is that Skype’s privacy settings are unable to block these attacks. Attackers can contact whoever they want, whether they are listed in their contact list or not.

The researchers conducted an experiment where they tied 400 Skype users to specific downloads on BitTorrent by using publicly availably data scraped from the BitTorrent DHT network. Many of these users shared their full contact details including their full name, city and country. This combination of information can then be used for all sorts of nefarious purposes.

“We believe this could be used by various people to stalk, blackmail, or defraud Internet users in general and P2P filesharing users in particular,” Keith Ross of the Polytechnic Institute of New York University said in a comment.“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services.”

“A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”

The researchers were very careful to protect the privacy of the people they targeted, but others may not be so considerate. One would expect that, because of the immense privacy implications, Skype would be eager to fix this issue but this is not the case.

“We contacted Skype almost one year ago but the attack is still effective,” researcher Stevens Le Blond told TorrentFreak. Aside from Skype some of the flaws uncovered by the researchers also affect other real-time P2P communication systems such as Google Talk and MSN Messenger.

The authors of the paper, Stevens Le Blond of the Max Planck Institute for Software Systems, Chao Zhang and Keith Ross of NYU-Poly, and Arnaud Legout and Walid Dabbous of the French research institute INRIA offer several recommendations on how the security issues can be addressed. These and other findings will be presented at the Internet Measurement Conference in Berlin next month.

The Paper

Related Posts

Previous Post | Next Post

  • 11

    Sauce ?

    • Felipe

      How about a good old fashioned link to the paper instead of having to use that bloody scribd :rolleyes:

      And talking about privacy, anyone notice how the comments are not readable unless you allow a disqus tracker nowadays? Never used to be like that TF. Anyone wanna try, just use the Ghostery plugin for Firefox and try and block the disqus tracker.

      Since TF started to use disqus there has been a definite mission creep of what script / tracking one has to allow just to see the comments. TF, you’re selling your readers privacy out.

  • http://twitter.com/icanhazsake Ninja

    Well, it’s a hint to how Skype is worried about their users security. Worth watching the developments of this since I am a skype user too. Not too worried, I don’t share any personal data on my skype account.

    • Ahnon

      Ninja, re-read the article. You are still vulnerable even if you don’t share any personal data on your skype account. It’s a matter of you IP address.

      • Scary Devil Monastery

        It’s a non-issue as long as you use a VPN. Or, more appropriately, as long as you use Skype on a different tunnel than your browser and p2p-client, for instance.

        Assuming you have ipv6 turned off that is – ipv6 is a living DNS-leak which keeps trying to sneak out of your tunnel. Always disable it as standard until encryption protocols catch up.

        • http://twitter.com/icanhazsake Ninja

          Or if you live in a sane country ;)

          I like to use services that allow me to config the bt client to run through them instead of running the entire connection through a tunnel (BT Guard if memory serves) but I don’t use those. I’m currently using put.io not for the anonymity but for the ease of use, speed and ability to instant download from many cyberlockers. And once I get the things into my HDD I fire up the torrent client and seed.

        • Affe

          What about just not keeping Skype on when you are not using it and that you are not using public trackers?

      • http://twitter.com/icanhazsake Ninja

        Yes, but an attacker could find my IP and the location of the hub of my ISP. My concern is not with copyright morons, they can’t do shit in my country if it’s about sharing for non-commercial purposes. I’d be more concerned with other types of attacks. I’ll be following this because it allows other types of abuses.

        Just food for though but Skype, as far as I know, is owned by Microsoft for a while now (and it was an US company before that) so could we assume the lack of action is because it’s a backdoor for Govt sponsored espionage?

  • Tokingarg

    No worries, now that Micro$oft took over, the problem will be fixed in no time!

    • Anonymous

      NO time being the operative word here, i think. when they feel like it is nearer the mark!

    • http://www.facebook.com/macfan97 Moritz Mahringer

      oh yes just like lnk expl.

    • http://twitter.com/icanhazsake Ninja

      I hit like for the sarcasm. It was sarcasm wasn’t it?

      • Guest

        Of course!

  • Anonymous

    Skype never worries about user privacy. It’s the main reason why Skype has ethical issues.

  • Guest

    This is what you get when you use closed source software even more when it’s owned by Micro$oft…

    Embrace Open-source
    Embrace GNU/Linux!

    FUCK THE MAFIAA

    • Guest

      Microsoft bought Skype in May, less than half a year ago. Skype was informed about this over a year ago. Way to wave your ignorance like a neon green flag.

    • Beavis

      “Microsoft Hatred is a Disease” – Linux Torvalds

      • http://www.facebook.com/macfan97 Moritz Mahringer

        but it’s innocuous

      • Guest

        It is until you realize the harm Microshit did and continues to do.
        MICROSOFT IS NOT YOUR FRIEND just like GOOGLE, MAFIAA wake up

      • Scary Devil Monastery

        So is paranoia.

        Just because you are paranoid still doesn’t mean they aren’t out to get you.

        Where MS is concerned, there are valid reasons for suspecting them of being completely uncaring about their customer base – right up until they discover they stand to lose real money on their behavior. This is to be expected from any company and therefore no matter how “benign” a corporation’s outlook you should always assume that they are dead set on robbing you blind one way or the other if you let them.

  • Foolmeonce

    “…and even specific BitTorrent users.”

    @Ernesto really?! A specific user? Not just a user on that IP?!

    IP can’t be tied to a specific person!!!

    Is TF joining the MAFIAA spreading bullshit? Change the wording please as this does not reflect the truth of things.

    I can call myself Donald Duck as my full name and address the account to what ever address I feel like at the moment…

    It’s not hard to do anything similar with any snooper you’d feel like using, HOW IS THIS NEWS?!!! How is it news that you can get an IP(Snooping, use Skype for it, randomly choose one from an ISP(there are lists available as to what IP is assigned by what ISP), etc. etc. and crosscheck it on a BitTorrent swarm?! How on EARTH!! is this news?!

    This is bullshit framed with golden leafs, they can see that the same IP they call on skype have downloaded something on BitTorrent BUT it can’t be ruled out that it’s another person using the skype account, since one connection = the IP, but you can have many people on one connection, not to even touch on the subject on spoofing addresses… So any linkage they make is irrelevant as they could get the SAME information from your/an ISP i.e the IP->The Internet Account Holder…

    So NO it can’t be tied to a specific BitTorrent user only to an IP and as we all know: “An IP isn’t the same as a person.”
    No matter how many times the MAFIAA is saying otherwise.

    I CALL BULLSHIT!!!

    • Ahnon

      Actually, I find this article very relevant for TF readers and torrent users in general. Given that we use BitTorrent we are vulnerable because our IP address (if not hidden by VPN, etc) can be viewed by others. Thus, if we have a Skype account, the discussed exploit can reveal an IP address than can be tied to our torrent activities; torrent users are thus much more vulnerable than users of Usenet or file hosting sites, for example. Of course an IP can’t be tied to a specific person; Ernesto of all people would know that. However, it doesn’t hurt to be cautious and the article is useful for preventing the above exploit from impacting Skype/Torrent users. Take a chill pill.

    • Guest

      I’m not seeing anywhere in the article that says that the data mined using this exploit could be used by entertainment companies for lawsuits, which is the only time when accuracy even theoretically matters. The danger here is some shady individual or group cross-referencing IP-addresses of filesharers, Skype account data, and a phone book to connect an address or phone number to a particular torrent download.

      Even if the person sending out letters/calls isn’t a copyright holder, and even if they don’t have great accuracy, there will be plenty of people willing to pay hush money when someone catches them downloading something they’d rather not have their family and/or friends to find out about.

      Letting anyone gain access to information similar to what the “legal” extortionists bully from ISPs is dangerous to say the least. If you gave fake information to Skype, this exploit probably doesn’t mean much to you as all it can do is link your fake Skype account to the IP you are using. But for the people who made the mistake of using their real information and using the same IP for their filesharing, this is a very real threat.

    • http://twitter.com/icanhazsake Ninja

      Missed the point. Entirely.

      And by MAFIAA standards it could be used to identify a person yes (even though we and TF know that it can’t). Jumping to conclusions, are we? Or simply trolling?

      By the way, the much needed citation:
      http://torrentfreak.com/ip-address-not-a-person-bittorrent-case-judge-says-110503/

    • http://mzl.la/n9FAit Needlez™

      What I think is being refered to here is if the person is logged into like a skype account that ties in the correct relative information about that person and the IP for that Skype is logged and then the same IP is used for bittorrent. If that is the case yes still the IP isn’t that person, but the IP of the skype account, is logged and the skype belongs to the person in question well then they can say that this IP did it and the IP co-insides with this skype so the owner of this skype account is guilty. However I do agree with you fully, I can think of over a million issues and problems with the thought of the IP of the skype account: for one: owner name is fake, 2: spoofed IP, 3: VPN 4: repeater IP from another device like a second wifi card which has a seperate IP on a network, and seperate IP from dynamic DNS if setup, the list goes on and on. Seriously I personally don’t understand why people don’t explain to judges or get a team of computer nerds to go in to court and point out how spoofing and shit like that works. Its just utter stupidity that should be brought to light so that these stupid cases of convicting DEAD people, Printers, and other random shit would stop.

  • Anonymous

    No surprise there when almost any program that connects to the network can be hacked such as with a buffer overload. What is a surprise is that Skype has done nothing to fix the problem.

  • Trollface

    LOLOLOLOLOLOLOLOLOL says trollface.

    Glad I never fell for the Skype hype fad.

  • Trollface

    LOLOLOLOLOLOLOLOLOL says trollface.

    Glad I never fell for the Skype hype fad.

  • Guest
  • Anonymous

    lol, OK so imagine that? Thats jsut too funny dude. Seriously.
    web-privacy.eu.tc

    • Ahnon

      Dude, go away, Your comments are always so lame. Stop advertising you site here, not one visits it.

  • Pingback: === popurls.com === popular today

  • Kuumissi

    I dont use DHT (ever) – It is MAFIAA owned spying network, much worse than skype app.

    • http://twitter.com/icanhazsake Ninja

      [citation needed]

  • Pingback: P2PTalk » Security Flaw Links BitTorrent Users to Skype Accounts

  • Esk

    Yeah, right. The Four Commandments of a Bit Torrent user:
    1. Never use DHT.
    2. Never use PEX.
    3. Never use Local Peer Discovery.
    4. Never share your personal data with third-party applications (yes, Facebook, I’m looking at you too).

    Instant band-aid if you’re BitSinner: edit your Skype account (good luck searching for Elvis Presley from Zimbabwe, mates), and set the profile to use the Second Email, preferably in .so, .ru, .il or another “in the middle of nowhere” domain.

    • http://twitter.com/icanhazsake Ninja

      1 to 3 are bs. You must be one of those “Private trackers are immune to scrutiny” kids. Surprise, surprise! They are not. And if you use 1 to 3 only the chances of being caught are significantly less since MAFIAA seems to rely on data from trackers…

      • Jdbpogo

        “And if you use 1 to 3 only the chances of being caught are significantly less since MAFIAA seems to rely on data from trackers… ”

        even if you use 1-3 your chance of being caught is just the same. once you connect to a peer your info is shared with the swarm. if your not on a private tracker it makes no difference privacy wise if you run dht/peer xchng or not.

    • http://mzl.la/n9FAit Needlez™

      Just thought I’d chime in here too: I use third party applications with my real information for instance right now, DIsquss and FB. And I’m sure there are others, however that shouldn’t matter. Also as far as DHT, PEX, LPD, and anything else that can be used to obtain an IP or information about the shares on a torrent, I think I’ll point this out the IP can NOT be used to identify the original person who is doing the download. I put it bluntly, say I have a computer in my house but I’m not on it downloading but my friend is and my computer has the same IP cuz I’m still at my house and using the same connection then technically the IP would belong to my computer, but what’s more lets say my computer doesn’t have a wifi card in it, but a portable wifi card, then the IP belongs to the portable card cuz it contains a seperate IP for each different device on my network. See what I mean and then my thing in court would be the wifi card did it. You can’t prove that I own the wifi card, you can’t prove I was typing on the computer. What you can prove is the the IP belongs to this wifi card, and the torrent was downloaded by that IP. Therefore the wifi card must have downloaded the file by itself and since the wifi card is an inanimate object well I don’t know how that would work in court. Just pointing that out.

  • Esk

    Yeah, right. The Four Commandments of a Bit Torrent user:
    1. Never use DHT.
    2. Never use PEX.
    3. Never use Local Peer Discovery.
    4. Never share your personal data with third-party applications (yes, Facebook, I’m looking at you too).

    Instant band-aid if you’re BitSinner: edit your Skype account (good luck searching for Elvis Presley from Zimbabwe, mates), and set the profile to use the Second Email, preferably in .so, .ru, .il or another “in the middle of nowhere” domain.

  • Glib

    Ok, so in order to find out where someone lives (assuming you currently see an IP in a swarm you’re trying to identify) you will have to cold-call every single Skype user?Seems like the only threat is if someone is spying on one specific user (whose Skype account they know) and feels like going swarm to swarm to ferret them out.

    Plus, so you have their IP and their Skype name, are you going to search through all of Little Rock, Arkansas to find Bob McCracken? My account doesn’t give me the option of putting a street address, so I could probably nail down their geographic location almost as well simply with their IP alone.

    Ok, the Skype weakness is not good, but the problem seems to be slightly sensationalized.

  • http://twitter.com/AlyssaBlindy Alyssa Blindy

    The reason that people can figure out who a user is by using this technique is because many people are oblivious, and will put their real names, locations, and so on on Skype. Therefore, that’s when the IP address can be linked to the person, because the Skype user has that IP address, and has placed their name and address on Skype.
    Maybe people who are using BitTorrent should close Skype while they download, if possible. Or, use Skype on a different computer.

  • http://www.smallperturbation.com Connor Behan

    Ok, so if I knew someone’s Skype account I could find out their IP address and then spend months trying to look for this IP address in a DHT scrape? No one is going to go to this kind of trouble. If I worked for the MAFIAA and wanted to cause trouble I could also target IPs that have edited savvy articles on Wikipedia. Are we going to blame Wikipedia now?

    • Noone

      Trouble? I’m no expert programmer but in just 10 min’s I logged IP’s on one of my swarms, CSV’d the log into Excel, created a macro to run through the IP’s from a dummy list I invented. (I got no hits BTW) So I purposely added into my dummy list an IP I knew was in the swarm & got a hit straight away.

      Doesn’t take a lot of work to do this kind of stuff from scratch & even less to do once you have it setup.

      So everyone who’s crying MAFIAA wouldn’t go to these lengths think again!

      • http://www.smallperturbation.com Connor Behan

        Yeah and you wouldn’t get any hits unless you had spent years building up a database by hacking Skype accounts, or months scraping Wikipedia or days negotiating with privacy violating ISP. There are easier ways to put names to IPs.

  • DocGerbil100

    I’m no expert, so maybe I’m missing something, but it seems obvious to me that the settlement fraudsters could have programs written that allow them to do something like this:

    • scrape other insecure social networks such as Facebook or Linkedin for publicly-visible Skype contact info;
    • “ping” those users’ Skype accounts using this technique to get their IP addresses;
    • separately scrape various porn swarms to get IPs;
    • match up those IP lists to get real names from those unsecured social network profiles;
    • use data from those unsecured social network profiles – and other public info, such as telephone directories and electoral registers – to get their home addresses;
    • send out extortion letters and wait for the money to roll in.

    If you’re thinking about matching just one IP, it’s rubbish – but if you think about an automated solution working in volume, scraping constantly and potentially generating millions of matches, Skype’s insecurity would seem to be a blackmailer’s goldmine.

    No judges or legal proceedings of any kind, no official oversight whatsoever, just pure intimidation and vast profits – largely at the expense of perfectly ordinary people, most of whom will be “guilty” of no more than having no idea how to keep their wi-fi connections secure, or of being parents who won’t allow their rash and over-curious children to be sexually humiliated in public.

    It speaks volumes about Skype that they haven’t bothered with this in a year.
    Fuck you, Skype. Fuck you very much indeed. >:(

    • http://twitter.com/icanhazsake Ninja

      That. But the blackmailing wouldn’t be a problem if MAFIAA weren’t a bunch of assholes and litigated the hell out of everything while pushing for more draconian laws, would it?

  • anon

    So just turn off skype while you torrent.

    Or you can use Nimbuzz. I kever did like skype

    • Noone

      Gonna guess turning skype off while you torrent or torrents of while you skype will make no difference.

      Why? Well because all they have to do is get 100′s/1000′s/10,000′s of IP’s with info via skype, store it as a “Possible” list of infringers, add all IP’s to a list to be scanned against any torrent activity FROM NOW until whenever & Bobs your Aunties sister’s cousin twice removed any torrent activity has you flagged.

      Its not about catching you torrenting while your on skype, its about farming IP address’s with personal info to be used anytime they please.

    • Guest

      Just turning off Skype while torrenting won’t help anything since the matching of the torrent IP and Skype account doesn’t have to be at the exact same time. And even if you turn off Skype, you last Skype used IP can still be retrieved for 72 hours since you logged off according to the paper.

  • http://torrentfreak.com/ Rob8urcakes

    I’m an ardent filesharer 24/7 and an occasional Skype user, and if the Evil Empire of Micro$oft asswipes don’t get this fixed ASAP, they lose my cash as I simply move to a better and more secure system.

    Or I simply cease using such a dangerous program (if this exploit is applicable to other programs too).

    In short – bye bye $kype coz uT is my friend.

    • anon

      Just use Nimbuzz

  • Pingback: Security Vulnerability of the day: Skype | Bram.us

  • Pingback: Skype mit neuer Sicherheitsluecke: ich sehe, was du saugst!

  • Pingback: Von Piwik 1.6 sowie kostenlosen und nervenden Dingen - Version, Beta, Windows, Details, Upgrade, Skype - Die Datenreisenden

  • Pingback: Laittomat latauksesi voidaan jäljittää, jos käytät Skypeä | Digilelut

  • Pingback: Fallo en Skype permite el seguimiento de descargas en BitTorrent desde hace un año - La Isla Buscada

  • http://mzl.la/n9FAit Needlez™

    M$ = FAILURE! Just go out and get a free open copy of any Linux distro. They’re easy as fuck to use, specially Ubuntu, Mint, or Fedora. If you can’t figure out how to run that, I’d really feel ashamed. It’s like as fucking simple as Apple or M$, just the a little different style to the UI. Geez.

    • DocGerbil100

      Sorry, Needlez, but the issue is on Skype’s servers, so how exactly would end-users running a different OS help?

      Whether we’re talking about Windows or Linux, it’s not as if the FOSS world is awash with equally accessible, featured and stable videochat clients and secure networks.

      For certain software – for me, the FireFox web-browser and the Pidgin text-chat-client spring to mind – open source is absolutely magnificent and I don’t hesitate to evangelise it to anyone who’ll listen.

      For other software – like videochat clients, torrent-clients, even standalone media-managers and players – the open-source movement is so far from it’s A-game it’s not even funny (and don’t get me started on Ubuntu).

      Don’t get me wrong – I like FOSS – but at the moment, it seems to be Skype or nothing for videocalls. If anyone reading can suggest any better alternatives, I’d love to give them a try. :)

  • Pingback: Un fallo en Skype permite obtener las IPS de sus usuarios | ideasweb.info | Noticias, Software y novedades. Las mejores aplicaciones web, con los trucos más útiles y toda la información en nuestro blog.

  • Pingback: Fallo en Skype permite el seguimiento de descargas en BitTorrent desde hace un año | R-NET

  • Pingback: Security Flaw Links BitTorrent Users to Skype Accounts | Hosted VOIP Phone System

  • Pingback: Fallo en Skype permite el seguimiento de descargas en BitTorrent desde hace un año « ??? Û???Ø?ø

  • Pingback: Un fallo en Skype permite obtener las IPS de sus usuarios

  • Anonymous

    tiny.cc/qcfnd

  • Pingback: Difetto di Skype è in grado di rivelare le abitudini degli utenti p2p

  • Pingback: Skype Journal – October 2011 News Roundup « Skype Journal

  • BTGuard - BitTorrent Anonymously

NewsBits

Even more news...

  • The Pirate Bay Isn’t Down Completely, Just Having a Few Issues

    Twitter and Facebook, not to mention the TorrentFreak inbox, are currently alive with complaints that The...

  • Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

    Freedom of speech is a highly valued commodity, but should people be allowed to say whatever...

  • Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

    An anti-piracy system present in all official Blu-ray players since 2012 has received a fresh update...

  • Foxtel Breeds Pirates by Locking Up Game of Thrones

    One of the main reasons why people turn to piracy is the lack of legal alternatives....

  • UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

    Last year an Internet user known as El Nomeo leaked version 3.70 of Sony’s Playstation3 SDK...

MostDiscussed

Below are TorrentFreak's most discussed articles of the past month. Join the discussion if you like.

CopyQuote

Left Quote

“The Pirate Bay has been one of the most important movements in Sweden for freedom of speech, working against corruption and censorship.

Peter Sunde Left Quote

PopularArticles

A selection of some TorrentFreak's classics dug up from our archives.