News of a potential security leak in Skype’s network protocols may be overblown, an investigation by ReadWriteWeb reveals today. Though it is possible for a program to expose IP addresses that have, at some point in history, been utilized by Skype users, this particular program is not Skype itself or anything that exploits a flaw in Skype.

Rather, it’s a separate, nonendorsed, reverse-engineered form of Skype 5.5. Though the reverse engineering project responsible for this program calls itself “open source,” in actuality, its proprietors appear to have merely de-obfuscated Skype’s proprietary code, made adjustments to it, and recompiled it. Those adjustments can, we discovered, produce human-readable IP addresses.

Underexposure

The commercial Windows-based editions of Skype are capable of logging details of complete user sessions (minus the dialog). Third-party developers who partner with Skype can make two adjustments to their System Registries, as explained on this Skype page, to produce log files that can be shared with Skype’s own developers. However, those files are encrypted so as not to be legible even by the developers. RWW confirmed this fact in its own tests this morning.

The project calling itself “skype-open-source” produces an executable file that demonstrates the use of reverse-engineered code to send a test message through the Skype network. (So as not to further infringe upon intellectual property, ReadWriteWeb will not post links.) This particular file is not the tool in question, and in our tests, could not be used to leak IP addresses. (One form of the tool, however, does appear to be advertising itself as a manipulator of Skype credits.) However, one of the contributors to the project, whose handle is Vilko, did post a link to his own privately hosted package, which contains both the binaries and de-obfuscated source code for a recent version of Skype.

Once the Registry changes suggested by Skype to its developers have been entered, Vilko’s program produces a nonencrypted version of the log file that is completely human-readable. A small portion of one of these session logs is shown above, with potentially identifying data blurred.  Note the PresenceManager keyword, which Skype uses to log the use of its own tool for querying the availability and status of a contact.

An examination of these session logs does reveal - as any engineer might expect - that IP addresses are associated with Skype users. As the program retrieves entries for individuals in the user’s contacts list, the log file shows, it retrieves an IP address that is apparently the beginning of a known route to an address the user has employed at some point in history. Our research indicates that this history may go back several years, meaning that a user may have moved to a different city any number of years since an address was first catalogued.

What’s more, the address that leads to a known Skype user, after a number of hops, may or may not be an IP address of the user’s direct Internet host. Several of the IP addresses we found in our research are traceable to Microsoft, though the users we traced are not Microsoft employees, nor do they use Microsoft’s servers. (Microsoft is presently the owner and operator of Skype.) My own Skype data, for example, which I located in the file, traces to a Microsoft server and not to my own company’s network.

So it may be inaccurate to say that even the reverse-engineered program exposes users’ IP addresses, but rather that it exposes addresses that enable Skype servers to make contact with them. In and of themselves, IP addresses are not personally identifiable data, although researchers have demonstrated that, with access to certain databases, it may be easy to deduce users from addresses they have used.

Damage Control

In a recent message, the “skype-open-source” project’s owners suggest that their users try looking up any Skype username. The act of doing so triggers a search for the user’s active status, which is then recorded in the log. That log entry will contain two IP addresses: often one associated with the ISP, and another used for internal routing to the loop associated with the user. Though legal experts have said this is not necessarily personally identifiable data, law enforcement officers have sought this level of information in obtaining evidence on suspects’ Internet activities.

The fact that the “skype-open-source” project first bore fruit in June 2011, and the first revelation by the project’s owners of its unencrypted logging was made just last week, suggests that even the project’s self-described developers may not know exactly what Vilko is up to. On their blog, they congratulate Vilko for his contributions and quote a message from Vilko describing how the de-obfuscated source code may be compiled using Microsoft Visual C++.

As long as code for encrypting one’s log files exists within a program that can be de-obfuscated and reverse-engineered (and many can be), it may be trivially easy for someone like Vilko to simply omit the encryption routines and recompile. In a statement released to the press, a Skype spokesperson contended that problems such as this are “industry wide.” One short-term solution for this problem may be for Skype to change its encryption scheme for its log files, although conceivably such a solution may be very short-lived indeed.

A longer-term solution may be for Skype and/or Microsoft to develop an entirely new logging system, whose files are never human-readable even in their unencrypted form. It may take more skill to decode such a system - skill which the ordinary de-obfuscator of other people’s code may lack.