PDA

View Full Version : Huge Security Flaw Leaks Users’ Real IP-Addresses



mmmmm
02.04.15, 01:39
Huge Security Flaw Leaks VPN Users’ Real IP-Addresses


VPN users are facing a massive security flaw as websites can easily see their home IP-addresses through WebRTC. The vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to affect Windows users only. Luckily the security hole is relatively easy to fix.

The Snowden revelations have made it clear that online privacy is certainly not a given.

Just a few days ago we learned that the Canadian Government tracked visitors of dozens of popular file-sharing sites.

As these stories make headlines around the world interest in anonymity services such as VPNs has increased, as even regular Internet users don’t like the idea of being spied on.

Unfortunately, even the best VPN services can’t guarantee to be 100% secure. This week a very concerning security flaw revealed that it’s easy to see the real IP-addresses of many VPN users through a WebRTC feature.

With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden” home IP-address, as well as local network addresses.

The vulnerability affects WebRTC-supporting browsers including Firefox and Chrome and appears to be limited to Windows machines.

A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected (https://diafygi.github.io/webrtc-ips) by the security flaw.

The demo claims that browser plugins can’t block the vulnerability, but luckily this isn’t entirely true. There are several easy fixes available to patch the security hole.

Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability.
Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.

“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP,” Van der Pelt says.

“During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,” he adds.

While the fixes above are all reported to work, the leak is a reminder that anonymity should never be taken for granted.





I don't have VPN and They can detect even my satellite card IP.

https://torrentfreak.com/huge-security-flaw-leaks-vpn-users-real-ip-addresses-150130/

Instab
02.04.15, 03:00
WebRTC was introduced with firefox 22 so if you're using an older version you're good automatically

anon
02.04.15, 04:44
I'm glad I always disable toy features like this one when setting up my browsers.

mmmmm
02.04.15, 17:57
I'm glad I always disable toy features like this one when setting up my browsers.

Do you means there is an option to disabled it while setting up (point me to it) or after set up ?

anon
02.04.15, 21:49
Do you means there is an option to disabled it while setting up (point me to it) or after set up ?

I think by "setting up" you're referring to the installation process, so I guess it's after setup.

My Opera 12.17 and IE 11 don't support WebRTC at all. Firefox already had it disabled. I don't have the security extensions TorrentFreak mentions installed on Chrome Iron 33, but for some reason, the IP test still can't find any addresses.

lil-fella
03.04.15, 13:13
has anyone ever tried using this firefox extension plugin.. IPFlood


What is it ?

IPFuck is a firefox addon created to simulate the use of a proxy. With this addon installed and enabled, and if a lot of us use it, there will no longer be any mean to know who is using a real IP, who isn't and who was charged doing something he didn't... Basicaly : we all become anonymous !

This addon is a "proof of concept" to show anyone who isn't already aware that IP address has become obsolete and that no one should use an IP address as an evidence anymore. This plugin is just one of many ways to spoof an IP address and these spoofing could lead to outrageous accusation of innocents.
How does it work ?

You can imagine that if I could just overwrite any existing information about your IP address I would have done so (or somebody else would have a while back ago)...

But it's actually a little more tricky : when sending a request to a server you will provide several information about your IP address : three of them come from the Application Layer and the last one comes from the Transport Layer. This last one I can't modify : you wouldn't get the answer to your request if that was done. But the three others can be overwritten without any consequence to your browsing...

These three headers were created to provide information on the real IP of a person surfing through a proxy server. So when you enable IPFuck, the websites you are visiting will believe that your real IP is a proxy server and (if the website was done correctly) focus on the false IP you are sending...

A lot of websites try and figure out who is hidding behind a proxy server. And if you don't believe me (I won't mind), just check out this google search request : get real ip address php. Most of the snipplets given here will check HTTP headers (the one we overwrite) before the Transport Layer information ('REMOTE_ADDR').
What if ?

What if this addon spreads and everyone changes his website code to only check for the Transport Layer information ? Well then, they will lose any information on anyone hidding behind a proxy...

There is just no way to know anymore who's who and if the IP you're detecting as connected to your website is a real one or a spoofed / behind a proxy one !


IPFlood ! (former IPFuck) (http://ipflood.paulds.fr/)

Instab
03.04.15, 15:51
has anyone ever tried using this firefox extension plugin.. IPFlood
this one just adds 3 headers:


HTTP_X_FORWARDED_FOR
HTTP_CLIENT_IP
HTTP_VIA


it does neither change nor hide your actual ip but counts on confusing the sites that rather look for these headers instead of the regular "REMOTE_ADDR"

lil-fella
03.04.15, 17:19
also using this program.. can hide your ip.. you can hide all sorts of stuff when go though this program..

Hide your real IP address and surf anonymously with Hide ALL IP

Your IP address can link your internet activities directly to you, it can easy leak you by this IP address, Hide ALL IP protects your online identity by change your IP address to our private server's IP and routes all your internet traffic through our encrypted internet servers so that all remote servers only get a fake IP address, you are very safely. Unlike your ISP, Hide ALL IP does not track and does not record any where you go

i like to run my p2p torrent program though this..

HIDE ALL IP (http://hideallip.com/home.html)

http://hideallip.com/home.html

cracks and similar are not allowed here

edit
ok no problem.. they can buy it instead if need be..
its just nice to a have a full version without paying for it huh

anon
04.04.15, 06:10
These three headers were created to provide information on the real IP of a person surfing through a proxy server. So when you enable IPFuck, the websites you are visiting will believe that your real IP is a proxy server and (if the website was done correctly) focus on the false IP you are sending...

This is a nice idea, and doesn't require much resources to implement. Unfortunately, most IP logging ignores these headers, for the very reason they can be forged.

The best way to simulate a proxy would be behavioral - using an addon that does random searches and/or randomly surfs the Internet. Think about it: if one IP searches Google for "cake is awesome", and then (with different cookies) for "reasons to hate cake", they're very likely not the same person. So that address "must" be either a proxy, or a NAT router used by different people to share their Internet access.

system28
04.04.15, 19:39
As far as I know, there is no solution for chrome. Correct?

lil-fella
04.04.15, 20:15
with the HIDE ALL IP program you can hide any thing you want.. including chrome browser..
just drag and drop the shortcut into the HIDE ALL IP program and start it from there.. then all traffic from the new shortcut will be hidden by fake ip..

15313

Instab
04.04.15, 21:48
As far as I know, there is no solution for chrome. Correct?
there is: dump it :P
unless you like sending all your data to google

anon
04.04.15, 22:18
just drag and drop the shortcut into the HIDE ALL IP program and start it from there.. then all traffic from the new shortcut will be hidden by fake ip..

If you're okay with using a semi-public proxy with all the implications of that, both good (disabling IP tracking by sharing an address with many other people, accessing country-restricted content) and bad (who runs those proxies? How can you know they're not monitored? Are they fast enough? Are they banned from any site you visit?), that's a solution. But does it protect you against this vulnerability?


there is: dump it :P
unless you like sending all your data to google

Haha, I remember the "audit" where you turned all the call-home features off, and would still find connections to random Google servers.

Personally, I use Iron, and have hex-edited all the strange requests I could find out of the binaries. It seems like a good solution for Windows users.

mmmmm
04.04.15, 23:20
anon
I think you should explain in details those ways at an other topic.

Instab
04.04.15, 23:56
Personally, I use Iron, and have hex-edited all the strange requests I could find out of the binaries. It seems like a good solution for Windows users.
mozilla based browser. there's no serious alternative. options and available addons of all others are a joke in comparison.

anon
05.04.15, 02:29
anon
I think you should explain in details those ways at an other topic.

I'll try :wtongue: But in case I get lazy (which is likely what will happen) or don't have much time, here are the basics.

Instab has already posted some of the offending strings here (http://www.sb-innovation.de/f57/filesharefreak-back-under-new-management-28865/#post295673). There's more than one "clientsn.google.com" domain, and the page translator, which by design is a call-home itself, uses "translate.googleapis.com". It's not a good idea to pad anything with null bytes (0x00), as that usually makes the browser crash. Replace them with 0.0.0.0, http://0.0.0.0/ or https://0.0.0.0/, respecting the original format used by each string.

Furthermore, under Vista and above, additional requests come in the form of multicast DNS, which you probably don't need anyway (it's for small networks without centralized name resolution). You can turn it off by applying the following registry tweak and rebooting.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient]
"EnableMulticast"=dword:00000000



While not directly related, I have also turned off WebRTC device enumeration, SCTP Data Channels, local device discovery and local printing in chrome://flags. The first two may be why the IP leak test can't find my addresses.

Of course, Iron's source code is open so you could remove the offending requests directly from the code and recompile, but this takes less time.


mozilla based browser. there's no serious alternative. options and available addons of all others are a joke in comparison.

That's undeniably true. I switched to Firefox three years ago and was stunned by the extent to which you can personalize things - altering UI elements via CSS, where else can you do that? Unfortunately, the Gecko engine is so slow when compared with, well, everything else. The slower speed was ultimately a killer for me :wfrown: