Ne’er-do-wells have long abused a feature in Skype to glean the Internet address of other users. Indeed, many shady online services that can be hired to launch attacks aimed at knocking users offline bundle so-called “Skype resolvers” that let customers find a target’s last known location online. At long last, Microsoft says its latest version of Skype will hide user Internet addresses by default.
“Starting with this update to Skype and moving forward, your IP address will be kept hidden from Skype users,” Microsoft’s Skype team wrote in a blog post about the latest version, v. 7.0.18.109 for most users. “This measure will help prevent individuals from obtaining a Skype ID and resolving to an IP address.”
A Skype resolver service in action.
Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (most often against online gamers). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account, and then use the resolvers to locate their IP. Thus far, the resolvers have worked regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.
Redmond purchased Skype in 2011, and since then has changed many features of the peer-to-peer (P2P), voice-over-IP and messaging service, which now comes bundled with Windows 10. But it hasn’t heretofore changed the core P2P component of Skype, a feature that acts much like popular file-sharing applications in that it dynamically routes bandwith-intensive tasks that would otherwise need to be handled by centralized servers. However, this flexibility and scalability comes at a cost: The IP address of every user must be shared across the Skype network so that individual users can talk and connect directly to one another.
It remains unclear what tweaks Microsoft made to achieve this result, and whether this fix will remain effective. This isn’t the first time Microsoft has promised to put a stop to IP address leaks in Skype: In May 2013, Microsoft released a beta version of Skype that was designed to mitigate the issue, but booter service operators quickly figured out ways around the new protections.
Source: Krebs