According to a skype-open-source blog post, a new exploit has been uncovered that provides an attacker with any Skype user's remote and local IP addresses.
"The process is unfortunately pretty simple," writes Neowin's John Callaham. "First, a person can download a hacked version of SkypeKit and then change a few registry keys. Then all that person has to do is try to add a new Skype contact name in the program. The IP [addresses] are revealed when you click on a Skype user's information card. You don't even have to send a contact confirmation notice to that user, which means he or she will be unaware that you are viewing their IP addresses."
"In a test conducted by The H's associates at heise Security, the log file always showed the correct IPs -- and when a user was logged in with multiple clients, the IP addresses for all the clients were visible," The H Security reports. "Shortly after this was discovered, a hacker known as 'Zhovner' put together the skype-ip-finder.tk web service. After a CAPTCHA has been submitted, the service can be used to find out IPs even without the special Skype client, and therefore without having to use a valid Skype account."
"The process of getting another user’s IP address can only work if the intended user is also online," notes Ubergizmo's Pradeep Chandrasekaran. "The only ways to protect against this process is by logging off your Skype when it isn’t in use or by applying a virtual private network which effectively cloaks your IP address."
"Skype said it is looking at the issue," writes CNET News' Roger Cheng. "'We are investigating reports of a new tool that allegedly captures a Skype user's last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies,' said a company representative. 'We are committed to the safety and security of our customers and we are [taking] measures to help protect them.'"