
Skype IP Lookup - lobovkin
http://skype-ip-finder.tk/
======
zhovner
Ok, so I'm develop this.

It based on deobfuscated Skypekit runtime that write clear debug log.

Wrapper just make vcard refresh from p2p skype network and then parse debug
log.

Here is the sources of python wrapper <https://github.com/zhovner/Skype-
iplookup/>

~~~
zhovner
Lol, skype banned my account.

~~~
dennisgorelik
Why banned?

~~~
ashconnor
Why do you think? This probably violates a _few_ terms of use.

------
zhovner
It is work for you?

~~~
bryanlarsen
Please don't downvote this. This is the actual developer asking for failure
reports etc. English is not his first language, either, so please don't
downvote because of brevity or poor grammar, either.

~~~
artursapek
English may not be his first language but he seems to know the basics.
<http://i.imgur.com/ADxK3.jpg>

------
Wilya
Skype is at its core a p2p idea, so this is expectable. That's sort of the
same thing that was done for bittorent users, except with a single centralized
authority.

The interesting thing is that they do this without making a call. They only
request contact information. This could be avoided.

Skype can mitigate this, but in the end, there is little more to be done. If
you want a p2p network where anyone can be reached, at some point, you _will_
need ips.

~~~
corin_
What they could do is have contact requests go through Skype master servers,
not p2p, that way you could only look up the IPs of people you are connected
to. But is it a big enough issue that they will make such a big change? I
doubt it - and I'm not sure they ought to have to do it, either.

~~~
acqq
Yes there would have to be master servers to close this hole, but I can't
imagine how it can be done without everybody upgrading to the new client, so
we can assume that every Skype user's ip is known or will soon be known. The
current state will last for a while.

You don't have to be even logged in for this to work(!) according to some
already published research.

------
JohnnyFlash
Really scary.

I wanted to see if i could find someone. Went onto twitch.tv. Picked a random
stream. Got email. Looked up Skype id from email. Searched for skype id which
gave me the IP and the small town where they currently reside.

Its worrying how easy this makes it to find someone.

~~~
TomGullen
Honest question, why is it scary?

My IP resolves to a location ~20 miles away. I don't see why having a Skype
contact and knowing a 20 mile radius where they live is anything to worry
about?

~~~
jeff18
Most residential internet connections don't have any sort of DDOS protection,
so privacy issues aside, at the very least you are open to a simple denial-of-
service attack. This was a huge problem for the popular progamer "Destiny" in
the Starcraft 2 community.

~~~
TomGullen
So is it also really scary that the mods/admins on the Starcraft 2 forum could
also see his IP address?

The risk of being DDOSed when you share a contact on Skype and they find out
your IP address is hyperbole.

~~~
jeff18
There is a pretty substantial difference between a few Blizzard employees
knowing your IP address and the entire public knowing your IP address.

------
hanbam
Here [1] is an interesting paper regarding P2P networks and privacy ---
"Exploiting P2P Communications to Invade Users’ Privacy"

[1] <http://cis.poly.edu/~ross/papers/skypeIMC2011.pdf>

------
Mizza
Not sure why people are surprised by this.. what did you think P2P meant?

~~~
aw3c2
that calls/communication would be p2p (direct connections) but not that
looking up my nickname would disclose my current ip.

------
bemmu
Could you somehow scrape all users and get an IP address -> skype name
mapping? You could then know the Skype usernames of all visitors to your
website.

~~~
zhovner
No this not possible. Only skypename -> IP, and only email -> skypename. You
can parse whole skype network and store all IP's if you can handle so many
data.

------
vsviridov
Cool, my router lacks decent DynDNS support, but I have skype signed in at
home, so I can always check what my IP is and VNC myself in :D

------
driverdan
If you're not currently logged in it still discloses the last IP you used. I
can't think of any good reason for it to do that.

~~~
TazeTSchnitzel
It doesn't work if you're not logged in.

~~~
driverdan
I was logged out for over 5 hours when I tested it and it showed my IP.

------
aw3c2
[http://skype-open-source.blogspot.de/2012/04/skype-user-
ip-a...](http://skype-open-source.blogspot.de/2012/04/skype-user-ip-address-
disclosure.html)

------
rjsamson
So yeah, this has me more than a little perturbed. I generally don't have a
problem sacrificing some privacy in return for functionality (the terms of
service of several popular social networks come to mind), but this... is a bit
of a different situation.

Does anybody have a good short-list of Skype alternatives? I don't know that
its possible for me to stop using it altogether, but I'd certainly consider
cutting back...

~~~
18pfsmt
I would point you toward Jitsi: <http://en.wikipedia.org/wiki/Jitsi>

But, it doesn't support the Skype protocol, and it runs on Java, with which
some people have an issue (but also allows for cross-platform compatibility).

------
ilya2
should be easy to do file sharing over skype when you have the receiver's ip
and an open udp port through the firewall. maybe someone will release an app.
can the mpaa sue microsoft?

------
option_greek
Something worth 8.5 billion got to be a little more secure.

------
ajross
Any insights into the exploit? Obviously the bug here is that they got the IP
without any confirmation from me; ideally Skype should be popping up the "new
buddy request" dialog, but it's not.

So is this a fixable leak, or something core to the protocol (i.e. do you
request a buddy P2P too?)

------
myared
It's interesting that I can lookup people at my company who are behind the
same connection that I am, but my account doesn't give away my IP. They also
seem to get a lot more SPAM calls whereas I get fewer. I wonder if it's a
privacy setting that I setup in the past or just the fact that my account is
older.

Either way, it's great to know that this is possible.

------
alexchamberlain
Reasonably impressive and scary.

~~~
mcs
Yeah, now you can obtain an IP by name by searching for their name in the
contact search of skype to get the username, then using this tool.

~~~
zhovner
Search by email also work.

~~~
mcs
This isn't exactly patchable by skype, is it? Obviously skype could turn off
some printfs from the log, but the fact the client needs the IPs and Ports to
attempt connecting locally, and then over WAN, makes me think that a tool like
this can exist forever.

------
sek
That's why Google didn't bought Skype, their P2P is not state of the art. Your
client is also a server for someone else, they obviously need your IP address
and a proxy would not reduce traffic for Skype.

Why the heck did MS pay so much for it?

~~~
bdonlan
> Why the heck did MS pay so much for it?

Skype has a huge userbase. They can always migrate that userbase to a
different technology later if they think it's worth it.

------
tutre
it even show my local 192.168... weird

BUT HOW?

~~~
zhovner
Skype announce both your IP's into network.

~~~
TazeTSchnitzel
Presumably for LAN efficiency? If you have two people on LAN using Skype it
goes via LAN IP?

------
skypeopensource
This is more informative description.
[http://nickfurneaux.blogspot.com/2012/04/skype-ip-
addresses-...](http://nickfurneaux.blogspot.com/2012/04/skype-ip-addresses-in-
clear.html)

------
antirez
Using the IP is for instance possible to locate, roughly, where the user is,
that is already a big privacy concern...

~~~
revelation
Skype is P2P. No way to fix it, you can only hope to mitigate it.

------
kevinpacheco
"This domain and website have been suspended because of abuse or copyright
reasons."

------
tdr
Can it be used like the invisible scanner for Yahoo Messenger? (see who's
invisible)

~~~
zhovner
No, after disconnect it still show IP few hours

------
ilya2
this is not an "exploit". as the man says, your IP is being sent out to the
network. others on the network are using your machine's resources. that's how
skype works. he's just showing you this fact.

------
mikelnight5l
technikboy04

------
gitarr
Well this is scary for Skype users and very embarrassing for Skype
developers/owners aka. Microsoft.

I sure hope they fix this before they get sued into oblivion for this blatant
privacy breach.

~~~
viraptor
Why is that? You get the same thing with emails / IRC / some IM protocols /
VoIP. What's so "scary" about someone knowing your current IP?

I mean - it's one thing if Skype was advertising itself as a privacy
protecting, identity hiding service... but they don't. They provide convenient
A/V connections.

~~~
rhplus
Let's say A wants to find B's IP address. In the case of email, A would need
to trick B into replying to an email (and also use an email service that adds
the client IP header). In the case of most IM servces, B would need to accept
a friend request federated from a server. If I'm understanding this correctly,
with Skype, A merely has to query B's status to get B's IP address.

~~~
daeken
In the case of email, the easiest way to get a user's IP is to have them load
an external image.

~~~
michaelhart
Not true if you use a secure/intelligent email client, like Gmail. It will
prompt you with a yellow bar above the email before loading any images.

It also implies that they'll open the email, which most average people won't
do unless they know the sender or are otherwise expecting an email.

------
AnonCIO
I am firing our security consultant for not telling us about this. Our entire
organization is exposed. We have just learned that the man behind Skype is the
same person who was behind Kazaa. And he knew this all along.

~~~
steve918
Or maybe you could resign for being an uninformed CIO. P2P is 1990s
technology.

