Skype is warning users following the launch of a site devoted to harvesting user IP addresses.The Skype IP-Finder site allowed third-parties to see a user's last known IP address by simply typing in a user name.
A script has been uploaded to Github that offers these options. According to the page, it can be used to lookup IP addresses of online Skype accounts, and return both the remote and the local IP of that account on a website.
The script is for instance available on this site. Just enter the user name of a Skype user, fill out the captcha, and click the search button to initiate the lookup. You will receive the user’s remote IP and port, as well as the local IP and port.
Adrian Asher, director of product Security, Skype “We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”
The search tool, which has since been taken offline, exploits a recently discovered vulnerability in Skype. The original vulnerability was detailed by an unidentified user on the note-sharing site Pastebin.
Instructions on the site explained how a user could download a patched version of Skype that would "help you to get info about Skype user: City, Country, Internet provider and internal user IP-address."
While the original vulnerability was quickly fixed by de-authorizing any Skype user who used the modified patch, the search portal allowed for users to find out private IP information without the need for the modified patch.
There is currently no way of protecting yourself against the lookup of the IP address, other than not logging in to Skype when the software is not needed. The only other option would be the use of a virtual private network or proxy to hide the IP address from users who look it up
Source :THN , Packetsecurity