It might come as no surprise to you that the popular chat program, Skype, has some flaws. But researchers have recently discovered a flaw so dangerous that, in the right circumstances, it could get you killed.
Anytime you connect to something online, be it a website, a chat program, or anything else, you leave a trace that you were there in the form of an IP address. Your IP address is a set of numbers that uniquely identify your computer while it's on the Internet. In some cases, those numbers change from time to time but the important thing to remember is that, whatever the numbers and however often they change, they always identify your specific connection. These numbers are assigned to you each time you by your Internet provider every time you connect to the net.
When you connect to Skype, just like any other online service, you leave your IP address as a record that you were there. In most cases online, only a sites administrator can see your IP address by going through the logs but in Skype's case anyone can find it by using one of the many simple, free, 'Skype Resolvers' out there.
I'm not going to go into the technical details about how the flaw works but the threat is that Skype leaks the last IP address you were using the last time you connected (which might be your current IP address if you are currently connected).
Why is this dangerous and why do I believe it could get someone killed? Because your ISP keeps logs of what IP addresses it assigned to you at any given time. That means that, knowing your IP address, I can find your ISP. Finding your ISP means I can either social engineer or hack an account address for you from your ISP. Having that information means I can stalk, hararass, or even kill you.
This is a flaw that Microsoft (the current owners of Skype) must fix. Until they do, I'd like to encourage everyone to boycott Skype and send a letter to them letting them know why you're doing so. There are other, better, more secure, programs out there that do the exact same thing that Skype does and they're completely free and open source.
- Jisti (www.jitsi.org)
- Ekiga (www.ekiga.org)
- Pidgen (www.pidgen.im)
- Adium (adium.im)
How serious are you about your security?