Hacker News new | past | comments | ask | show | jobs | submit login
Skype IP Lookup (skype-ip-finder.tk)
192 points by lobovkin on Apr 27, 2012 | hide | past | favorite | 97 comments

Ok, so I'm develop this.

It based on deobfuscated Skypekit runtime that write clear debug log.

Wrapper just make vcard refresh from p2p skype network and then parse debug log.

Here is the sources of python wrapper https://github.com/zhovner/Skype-iplookup/

Lol, skype banned my account.

From just looking up the IP to that account?

Why banned?

Why do you think? This probably violates a few terms of use.

I have decided to post this link so not only Russians know about it :)

I'm trying to start server.py on Ubuntu 12.04 (Python 2.6.7) but I receive this error starting server.py:

Exception AttributeError: "SkypeKit instance has no attribute 'socket'" in <bound method SkypeKit.__del__ of <skypekit.SkypeKit instance at 0x117d7a0>> ignored Unable to create Skype instance

Any idea to fix this problem?

You must put server.py in ./skypekit-sdk_runtime-3.7.0/examples/python/tutorial/ and run out there.

Also you need edit keypair.py

Please create all issues on github.

I moved server.py already in the right place but is not clear for me which values I need to write into keypair.py could you please write a detailed readme on github?

Thank you in advance man

P.S. issue opened on github ;)

I have the same problem, I have changed the files but it doesn't help

It is work for you?

Please don't downvote this. This is the actual developer asking for failure reports etc. English is not his first language, either, so please don't downvote because of brevity or poor grammar, either.

English may not be his first language but he seems to know the basics. http://i.imgur.com/ADxK3.jpg

I just tried it and it didn't work. After maybe 5 minutes of "Please Wait...", it said no results found. Is it just overloaded?

Yep. Tested myself and a few remote coworkers.

I tried, but the server seems to be busy? I am not getting a result.

If you not see result after 20 sec. refresh page and request again.

Ah, yes, just tried it again and it worked.

Worked for me - and with a quick reverse lookup I was able to tell a friend the name of his halls of residence

Cookies error

MacOSX Lion, Safari [SP], Skype is installed and on, don't know what else I can tell you...

Yeah, I just entered a friend's skype name and it showed an IP in correct country and city

Yes, worked great for me! crazy

Yes, it worked perfectly.

Not working for me. Do I need something installed?

Worked fine here.

Yes, it worked

Skype is at its core a p2p idea, so this is expectable. That's sort of the same thing that was done for bittorent users, except with a single centralized authority.

The interesting thing is that they do this without making a call. They only request contact information. This could be avoided.

Skype can mitigate this, but in the end, there is little more to be done. If you want a p2p network where anyone can be reached, at some point, you will need ips.

What they could do is have contact requests go through Skype master servers, not p2p, that way you could only look up the IPs of people you are connected to. But is it a big enough issue that they will make such a big change? I doubt it - and I'm not sure they ought to have to do it, either.

Yes there would have to be master servers to close this hole, but I can't imagine how it can be done without everybody upgrading to the new client, so we can assume that every Skype user's ip is known or will soon be known. The current state will last for a while.

You don't have to be even logged in for this to work(!) according to some already published research.

Note that you are not always forced to be in someone's contact list to contact him. It's a user configurable setting. I wonder if call-blocking for incoming calls from persons not in contact list is done at server level or client level.

Skype sometimes routes calls through a third party. Even when calling you shouldn't be sure that the IP is that of the recipient or the third party.

(The site doesn't work so I haven't read the article.)

Really scary.

I wanted to see if i could find someone. Went onto twitch.tv. Picked a random stream. Got email. Looked up Skype id from email. Searched for skype id which gave me the IP and the small town where they currently reside.

Its worrying how easy this makes it to find someone.

Honest question, why is it scary?

My IP resolves to a location ~20 miles away. I don't see why having a Skype contact and knowing a 20 mile radius where they live is anything to worry about?

Most residential internet connections don't have any sort of DDOS protection, so privacy issues aside, at the very least you are open to a simple denial-of-service attack. This was a huge problem for the popular progamer "Destiny" in the Starcraft 2 community.

So is it also really scary that the mods/admins on the Starcraft 2 forum could also see his IP address?

The risk of being DDOSed when you share a contact on Skype and they find out your IP address is hyperbole.

There is a pretty substantial difference between a few Blizzard employees knowing your IP address and the entire public knowing your IP address.

You obviously don't live in China...

But is no different than just send them a link where you save their IP when they open it (and with little social engineering you can trick anyone into clicking a link)

Actually, it's very different because one can passively acquire contact info this way, as opposed to actively contacting each one. Not only is it faster than social-engineering each contact, it's more palatable to those who don't want to attempt such.

Yes, but why does it actually matter if someone has your IP address?

It can be directly linked to your address in most cases.

Sometimes you can get to the correct city in the US. Rarely can you get any further than that from an IP. In other countries you can only really be sure about the country.

In most cases? And with what accuracy?

Here [1] is an interesting paper regarding P2P networks and privacy --- "Exploiting P2P Communications to Invade Users’ Privacy"

[1] http://cis.poly.edu/~ross/papers/skypeIMC2011.pdf

Not sure why people are surprised by this.. what did you think P2P meant?

that calls/communication would be p2p (direct connections) but not that looking up my nickname would disclose my current ip.

Could you somehow scrape all users and get an IP address -> skype name mapping? You could then know the Skype usernames of all visitors to your website.

No this not possible. Only skypename -> IP, and only email -> skypename. You can parse whole skype network and store all IP's if you can handle so many data.

The geek part of me wants to do this / see this done, the part of me that oversees a few popular content sites thinks there isn't a huge amount of benefit to it. Even for malicious purposes, Skype is a very poor option for spamming.

To creator: very impressive stuff, congrats.

Cool, my router lacks decent DynDNS support, but I have skype signed in at home, so I can always check what my IP is and VNC myself in :D

If you're not currently logged in it still discloses the last IP you used. I can't think of any good reason for it to do that.

It doesn't work if you're not logged in.

I was logged out for over 5 hours when I tested it and it showed my IP.

So yeah, this has me more than a little perturbed. I generally don't have a problem sacrificing some privacy in return for functionality (the terms of service of several popular social networks come to mind), but this... is a bit of a different situation.

Does anybody have a good short-list of Skype alternatives? I don't know that its possible for me to stop using it altogether, but I'd certainly consider cutting back...

I would point you toward Jitsi: http://en.wikipedia.org/wiki/Jitsi

But, it doesn't support the Skype protocol, and it runs on Java, with which some people have an issue (but also allows for cross-platform compatibility).

should be easy to do file sharing over skype when you have the receiver's ip and an open udp port through the firewall. maybe someone will release an app. can the mpaa sue microsoft?

Something worth 8.5 billion got to be a little more secure.

Any insights into the exploit? Obviously the bug here is that they got the IP without any confirmation from me; ideally Skype should be popping up the "new buddy request" dialog, but it's not.

So is this a fixable leak, or something core to the protocol (i.e. do you request a buddy P2P too?)

It's interesting that I can lookup people at my company who are behind the same connection that I am, but my account doesn't give away my IP. They also seem to get a lot more SPAM calls whereas I get fewer. I wonder if it's a privacy setting that I setup in the past or just the fact that my account is older.

Either way, it's great to know that this is possible.

Reasonably impressive and scary.

Yeah, now you can obtain an IP by name by searching for their name in the contact search of skype to get the username, then using this tool.

Search by email also work.

This isn't exactly patchable by skype, is it? Obviously skype could turn off some printfs from the log, but the fact the client needs the IPs and Ports to attempt connecting locally, and then over WAN, makes me think that a tool like this can exist forever.

That's why Google didn't bought Skype, their P2P is not state of the art. Your client is also a server for someone else, they obviously need your IP address and a proxy would not reduce traffic for Skype.

Why the heck did MS pay so much for it?

> Why the heck did MS pay so much for it?

Skype has a huge userbase. They can always migrate that userbase to a different technology later if they think it's worth it.

it even show my local 192.168... weird


Skype announce both your IP's into network.

Presumably for LAN efficiency? If you have two people on LAN using Skype it goes via LAN IP?

Also if run several clients it shows them all.

So if you keep several clients open in different places, it's at least harder to determine which IP reflects your current location, right?

That's scary if they really show the local IP. It becomes quite handy tool for hackers. If they have breached any computer in a company network and want to target the CEO's computer next they can just use Skype to get his IP.

Using the IP is for instance possible to locate, roughly, where the user is, that is already a big privacy concern...

Skype is P2P. No way to fix it, you can only hope to mitigate it.

"This domain and website have been suspended because of abuse or copyright reasons."

Can it be used like the invisible scanner for Yahoo Messenger? (see who's invisible)

No, after disconnect it still show IP few hours

this is not an "exploit". as the man says, your IP is being sent out to the network. others on the network are using your machine's resources. that's how skype works. he's just showing you this fact.


Well this is scary for Skype users and very embarrassing for Skype developers/owners aka. Microsoft.

I sure hope they fix this before they get sued into oblivion for this blatant privacy breach.

Fair point, but equally Skype was an independent company when it developed its protocol, and although Microsoft hasn't fixed it, its not really their fault.

It might not be their fault, but it sure is their responsibility now.

See that link hanbam put up? This has been known for months already with no patch. Hopefully this pushes them to make an actual fix.

I doubt it.. I brought this up on Skype forum and the thread was deleted 5 minutes later...

EDIT: I queried the deletion with a moderater. Was informed it had been moved to the forums admin area to be discussed at their next meeting. He said he agreed it looks like a serious problem so they are aware.

Wait until there are major media stories about it. Pass this to Wired or Ars or whoever and then they'll start promising a fix.

Interesting to hear that they're deleting it, though.

Now it is in hands of Microsoft but the problem was created early when skype was created, they never saw this as a big issue I guess. And honestly is it a big issue? I think it isn't worth sewing for, right now it's more of a face issue if anything. Im sure MS can handle this, if they want to/

Why is that? You get the same thing with emails / IRC / some IM protocols / VoIP. What's so "scary" about someone knowing your current IP?

I mean - it's one thing if Skype was advertising itself as a privacy protecting, identity hiding service... but they don't. They provide convenient A/V connections.

Let's say A wants to find B's IP address. In the case of email, A would need to trick B into replying to an email (and also use an email service that adds the client IP header). In the case of most IM servces, B would need to accept a friend request federated from a server. If I'm understanding this correctly, with Skype, A merely has to query B's status to get B's IP address.

In the case of email, the easiest way to get a user's IP is to have them load an external image.

Not true if you use a secure/intelligent email client, like Gmail. It will prompt you with a yellow bar above the email before loading any images.

It also implies that they'll open the email, which most average people won't do unless they know the sender or are otherwise expecting an email.

It's scary when you think about the context - someone you haven't added to your contact list, meaning anyone at any time, can find your current IP.

It's not exactly shocking, but it certainly shouldn't be able to happen until you've approved a person as a contact.

This is the most stupid way I have ever seen to blame Microsoft for something.

Bet you're a Mac user?

I am firing our security consultant for not telling us about this. Our entire organization is exposed. We have just learned that the man behind Skype is the same person who was behind Kazaa. And he knew this all along.

Or maybe you could resign for being an uninformed CIO. P2P is 1990s technology.

I think you might be overreacting. The kazaa thing was kind of common knowledge. Unless your business is very unsavory, I don't think allowing skype to get in your office, like every other office in North America, is any great failing.

Back to pen and paper, copper wire and snail mail? Has its appeal I suppose.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact