87 comments

[ 3.3 ms ] story [ 135 ms ] thread
Isn't this the same crap that affects most messengers at one point?

You send a link, the receiving client tries to do a link preview so a request is made to the link exposing the receiver's IP address?

Yes, I was thinking the same thing. This seems like it would also hold true for Slack, Teams, Discord -- any app that would make another request to render the "card" for the URL unless those apps are proxying those requests.
Most of those apps already had this issue raised/exposed and fixed. It seems to be a very common security measure that is overlooked.
If you send a message to a channel with 5k people in it, would you expect 5k requests to go to the page in a short interval? How would that work with custom unfurl extensions?

It’s all proxies and unfurled on the server, once. Anything else is madness.

Does that madness help measuring CTR?
Agreed. And iMessage actually has the sender client generate the link preview and bundles that with the message. This sounds weird, but with end-to-end encrypted conversations, it's basically that or have it generated by the recipient.

(or have one of the receiving client send it to a service out-of-band, but that "defeats" the end-to-end encryption.)

Having the sender do it also makes sense from an auth point of view— thinking of like a private Github repo, or something like Jira running on your corporate VPN. Presumably the sender intended to share the contents with every recipient anyway and any that don't have access still of course won't be able to click through.

But it would be pretty bad UX if the card was just blank in these cases because the messaging server didn't have access.

Line previews the URL remotely. You can verify this because Line's servers are in Japan and the preview will show Japanese text for sites that offer a Japanese version
surely the request should'nt come from the client but a separate server? I presume the reason link checking exists is that the URL is reviewed for maliciousness, and that isn't likely to be done locally
> surely the request should'nt come from the client

Maybe this problem is intractable logically? The preview needs to be accurate from the perspective of the client. The only way to guarantee that seems to me sending the request from client.

I think most of the "malicious URL check" solutions literally compare the url string to a large, known bad address database
Slack and Telegram use their respective infra to fetch the URL for the preview - not your local IP.
> ...receiving client tries to do a link preview

I understood that the link in question was to some google.com, not a 'hacker' controlled URL.

[ ...Yossi sent me a link via Skype text chat to google.com. The link was to the real Google site, and not an imposter. ]

It may be something which is kept in the app's db following the generation of a preview.

Would it make sense to restrict the chats to only 'address book' contacts, supposedly trusted?

It's amazing to me that, after all these years, people are surprised at how bad Microsoft is at security. I genuinely don't understand why companies use their products after decades of egregious security vulnerabilities.
An IP address was never supposed to be personally identifiable info. If we treat it as such then no P2P service can ever work, and the internet will forever be under the control of a few large corps running data centers.

The real solution here is to completely disconnect an IP address from a person or physical location. Broad adoption of IPv6 will be a big step towards that.

How could IPv6 help on that? They could just use the prefix to figure out which network you're coming from.
I think they are referring the the shear number of IPs available and ease of switching.

Not a solid argument, but it is the only thing I can think of though for their argument.

Yes, but "network" itself is an abstract concept. Because the addresses aren't scarce you can theoretically get a new one every day, or every time you log on, and throw it away right after. Each device you own can also have its own IP, without any NATs in the way and no way to tie them together.
>but "network" itself is an abstract concept.

This is incorrect. IPv6 network routing prefixes are not an "abstract" concept. They are effectively the same PII as an IPv4 address. You can identify a user by their routing prefix, much like you can identify a user by their IPv4 address. All of their devices will have IPv6 addresses from their unique prefix much like all of their devices will have the same unique IPv4 address if they're using NAT.

IPv6 has the advantage that the ISP can give customers multiple prefixes at the same time, thus allowing rotation of the prefix without interrupting existing TCP connections.

With IPv4, ISPs that want to rotate IP addresses have to forcibly disconnect their users (e.g. every 24h). This is a common practice, though probably mostly intended to allow charging business customers more if they need a stable IP. But the privacy side effect is also nice.

But other than that minor point (which many ISPs are not taking advantage of), IPv4 addresses and IPv6 network prefixes are essentially the same privacy-wise: uniquely identifying an ISP customer, i.e. a family, not an individual.

Question from someone who don’t know much about IP. Isn’t ipv4 better for privacy from practical standpoint? Most of the time users are behind bunch of NATs. And with ipv6 premise (I may be wrong here) it “public ip for every device”. Which should make it easier to track people.
While end devices are usually behind NATs, most ISPs out there still ensure that every customer has a unique public facing IP address which is tied to them long term. My own residential IP (with Comcast) hasn't changed in years.
There's NAT and then there's CGNAT and basically all of the new wave ISPs are using it.

But, I'd rather deal with the cgnat annoyances than ever have a financial relationship with Mediacom again.

ISPs in Singapore for example absolutely store mapping of your name+your CGNAT RFC6598 IP + port.
Regulatory compliance?
It is. Also that data is stored for 3+ years.
There is a router with one IP address. If there is more than one user/device behind the router, how are you going to have IP address for each user?
Short answer is not entirely.

Most home internet still has unique public IPv4 in the US. There is technically nothing stopping a mobile operator from granting its endpoints fresh IPv6 addresses frequently.

It is. People here are fervently pro-ipv6 and won't admit it, but your theory is completely right.
If I put my Conspiracy Hat on, the reason they just did not Extend ipV4 to just add some more address space is to purposefully eliminate Privacy on the internet

There is a huge number of people that believe in things like a "Real Names Policy", and that Anonymous Access to the internet was a mistake, These people hold positions of power in organizations that make the standards.

Na, it's just that ipv6 was conceived when the ideas of privacy on the internet weren't advanced enough.
The ideas of privacy were, but not the idea that someone really would go through the effort to store connection information for the purpose of surveillance. Naturally, because that still is a perversion.
Meanwhile, we've got ISPs like MetroNet removing support for IPV6 in markets that previously had it, and entering new markets with CGNAT (many customers with 1 IP) as default.
HIPAA defines an IP address as PII, especially in combination with any other identifier. If you have a first name + IP, or an email + IP, then federal law says that’s PII.
They were saying it wasn't meant to be personally identifable. Not that it wasn't. And they're right, a large part of the foundations of the internet were built and designed for the past and what was happening in the past with no real idea of how it would all grow and we would continue to use these building blocks.

Email is a great example. We've patched things on top of it to try and fix the fundamental flaws but they're still there. An easy one is that you don't have to prove you own an email address to send an email that looks like it's from that sender. We added DKIM, DMARC, etc. But the flaw still fundamentally exists.

Understood, and I don't disagree with their idea of how it ought to be. But realistically, that ship has sailed. It's even coded into law now: an IP identifies a finite group of specific people. I wish that weren't the case, and I roll my eyes every time that comes up in a legal conversation, but we lost the argument.

As an aside, although I haven't seen any explicit language discussing this, I'd say that an IPv6 (even a random one thanks to privacy extensions) is exactly equal to an IPv4 address. My house has a static IPv6 prefix, so if you see an IP from that subnet, it's someone in my house, exactly as if our shared IPv4 address showed up in the logs. In my opinion, the host portion of the address is basically equivalent to a random port number for identification purposes.

>An IP address was never supposed to be personally identifiable info.

Says who? an IP is absolutely PII from its inception. It's an identifier. "IP X is requesting xxxsite.com? That's assigned to Larry in accounting. Better call HR."

>internet will forever be under the control of a few large corps running data centers.

It alway was, is, and forever will be. Someone has to host things, this only works at scale.

>The real solution here is to completely disconnect an IP address from a person or physical location

This is called a VPN. or as I like to call it, an IP tumbler. When the major super powers no longer need it for espionage the current loopholes will be closed. The net became popular, it is by nature easy to abuse, therefore people will regulate it until it is "safe", of course it will only look that way.

>Says who? an IP is absolutely PII from its inception. It's an identifier. "IP X is requesting xxxsite.com? That's assigned to Larry in accounting. Better call HR."

No, it's locally identifiable information. IP X is assigned to Larry's computer. That might be Larry making that request, but it should be considered a leap in logic to reach that conclusion without more information.

Identifiers assigned to objects associated with people, even indirectly, are PII even if it is possible for them to be misleading. PII doesn't require that the information be incapable of being misleading, otherwise almost nothing would be PII.
Didn't read the article, but the more prevalent issue with obtaining your IP from Skype usually isn't that it's going to uncover your identity, but that someone will be able to DDoS you (for example while playing online games)
An IP address was always designed to identify a computer. That’s the point of an address. The part that made them (approximately) personally identifiable is the invention of personal computers.
> An IP address was never supposed to be personally identifiable info.

Fact is, it is legally classified as PII, at least in the GDPR sphere.

> If we treat it as such then no P2P service can ever work, and the internet will forever be under the control of a few large corps running data centers.

We are already at that point. Host anything on the Internet without Cloudflare, Akamai or other CDNs and you will get targeted by skiddies running exploits on everything they find on Shodan, and if you're a noteworthy social media person (i.e. a streamer), there are enough completely braindead trolls that will stop at nothing to get you off the internet: if you are lucky you'll just get DDoS'd, if you attract the more toxic arseholes, you will end up having your door kicked in by a SWAT team.

> The real solution here is to completely disconnect an IP address from a person or physical location. Broad adoption of IPv6 will be a big step towards that.

That doesn't fix anything, it just makes hacking a specific machine a bit harder. Bad actors will just spam your entire /64 (because that's your provider's default allocation) instead. The solution is to kick bad actors off of the Internet - and all sorts of bad actors at that: people running compromised devices that are used by the actual bad actors, people running services that end up being used by bad actors such as SS7 access brokers or VoIP providers lacking auditing, bad actors themselves, and nation states like Russia, China, North Korea, Iran that actively conduct or tolerate hacking campaigns or India and Turkey that don't do shit against scam callcenters.

> completely disconnect an IP address from a person or physical location

The main purpose of an IP address is to deliver packets to some location in the world via the shortest path. You could imagine adding a Tor-like indirection layer to IP, but this would necessarily make the network slower because we can't increase the speed of light.

Perhaps an ISP could regularly reshuffle its IP addresses within a geographical region, but it only takes a few bad actors to send the whole region to CAPTCHA hell.

There are two alternative behaviors I can think of:

1. The service operator prerenders link previews on its own servers, then sends them to the client, which means that it needs to be privy to the contents of messages. I suspect this is already the case for Skype, but it's a feature that (say) Signal can't do this.

2. The message sender prerenders the link preview. Where link previews are interactive (I'm always impressed by linking Bandcamp in Slack, for instance), one could easily accomplish the same with some malicious JavaScript.

I'm not sure any particular behavior is "better".

The latter option (without interactivity) is how iMessage works.
I'm really confused about whether Skype mobile includes Teams that used to be Skype and have just been renamed.
> Hackers can get your IP through Skype

More like hackers can get your IP through you merely using The Internet.

Also once a document or link is released onto the web, it will be looked at, mostly automatically. I crafted a PDF document that when opened, alerted me who opened it (a honey PDF). I uploaded it to both Google Drive and Dropbox, and it was some co-lo in Virginia that automatically scanned it, presumably to preview the doc in Dropbox/Drive, or (I suspect) maliciously opened it to have a nose.

I've heard from a reliable source that PDF and DOC sent through Messenger have all embedded links visited automatically
No I mean a specially crafted PDF that beacons out who opened it up. Not links in the PDF.
Funny because isn’t teams is based on that tech? Correct me if I’m wrong. I don’t work for Microsoft but my brother does. I recall him telling me this once, not sure if it’s true.
It was at some degree. However Teams has no such problem as described in the article.
"it is trivially easy to exploit and involves changing a certain parameter related to the link."

what would that be?

So many words, so little information.
In other news, hackers can get your IP address by sending you an email.
Does anyone remember Skype resolvers? They were incredibly popular from like 2011-2014.
I perfectly remember them also being embedded in DDOS as a Service offers. It's surprising seeing many persons saying an IP is not PII/private. While it may not allow you to "hack" a person, you can very certainly saturate his uplink. I also remember streamers being resolved and targeted repeatedly.
Yeah. If you were decently high ranked in any popular video game at the time, you had to make sure you didn't share a username between Skype/the game, or you'd be DDOSed endlessly.
[flagged]
Given there's no way to easily verify that, you could be doxxing someone you want to be targeted.
It's not like the "hackers" are going to be able to do much with the IP address.
An attacker can simply DDoS someone, a common nuisance in online games.
Depends on a person’s threat model. If someone is a dissident under a repressive dictatorship, and the “hackers” work for the regime, someone could be killed with this information.
Anyone in that position knows not to use Skype. Anyone in that position that was using Skype was likely picked up ages ago because their threat modeling is clearly trash.
That's not a reason to discount this as a real vulnerability. Most hacks in the real world are due to mistakes in security hygiene. Because most people aren't security experts, and even those who are, are human. They make mistakes, do things in a hurry sometimes, and don't know everything. Novel, high-skilled attacks are uncommon.
It's certainly a real vulnerability just not a particularly impactful one. Claiming that it's going to get people killed is unnecessarily inflammatory rhetoric that makes you look like you don't know what you're talking about. Claiming that novel, high-skilled attacks are uncommon when they're inherently challenging to have visibility of confirms that you don't know what you're talking about.
I'm not saying (and didn't say) that's a likely outcome of this particular bug. I'm posing the example as something that could be done with an IP address, because I'm pushing back at the assertion that IP addresses aren't useful for anything. They aren't useful for criminal hackers looking for a random untargeted machine to compromise. But they're useful for targeted scenarios like the example I gave.
Uh, what? What scenario are you trying to conjure here? The regime knows the person's Skype handle, but not his/her IP; and the knowledge of the IP someone enables the regime to kill the person?! How does that work, exactly? Can you elaborate?
Yes, and in places like these, ISPs are compelled to provide address assignment logs, if the ISPs are not government entities already. With that info, they can show up to their physical address.
Maybe I didn't express myself well enough. Do you really find it plausible that the government would know the person's Skype username but not their name? If they can compell the isp, why not Microsoft? They will obviously comply too.
> Do you really find it plausible that the government would know the person's Skype username but not their name?

Yes, people communicate under pseudonyms on the internet all of the time.

Remember that not all governments have the same technological power as the major global powers... especially the most repressive ones.

> If they can compell the isp, why not Microsoft? They will obviously comply too.

MS has a limited physical footprint where they can be legally compelled to do anything. They don't operate in the world's most repressive regimes. And they do deny information requests all of the time. 25% of criminal requests were rejected by MS last year for not meeting requirements. And many of the world's most repressive regimes don't even appear on the list. Probably because they also say (emphasis mine):

> Microsoft produces data in response to valid legal requests from governmental entities in countries where Microsoft Corporation is located.

https://www.microsoft.com/en-us/corporate-responsibility/law...

People in 2013 were performing this, or something quite similar, to DDoS players like a bully.

I can only imagine the implications for livestreamers, or other public facing folks.

> An IP address was never supposed to be personally identifiable info.

I'm not sure if law enforcement would like that. They want to identify and catch bad actors like blackmailers, hackers, terrorists and a bunch like that.

Certainly Microsoft should patch this, but as for the specific issue... so what? I don't consider my IP address to be sensitive information, regardless of whether or not various regulations may consider an IP address to be PII.

Sure, there are some classes of people for whom this might be a big risk (journalist or dissident in an oppressive dictatorship, for example), but those people should not be using Skype in the first place.

I haven't used Skype in close to a decade. No one that I know uses Skype. All the former Skype users have moved over to WhatsApp, Discord, etc.

Who is using Skype in 2023? How many users are still using Skype?

It gets used on platforms like italki (by users, not as a white labeled thing). People share skype names and you can use it with people behind the great firewall.
I used Skype until 2019 when I moved back to the US. It was nice to have a local US number for my family to call. (Maybe there's a better way to do that, though.)
Most chat programs have solved this by using a proxy. The downside of this is that the proxy may be blocked. There should be a more generic and safe way to deal with link previews.
jokes on them, it's been years since I used skype!
Reminds me of the days when people used Skype Resolvers, good ol' days.
> The attack could pose a serious risk to activists, political dissidents, journalists, those targeted by cybercriminals, and many more people.

Since Skype is infamous for lacking E2EE and other security methods, I wonder if these groups of people, who are sensitive to privacy, will still use Skype in 2023.