The New York Times uses WebRTC to gather local IP addresses

247 点作者 DamienSF将近 10 年前

22 条评论

dzlobin将近 10 年前

Forum post from Dan Kaminsky, co-founder of WhiteOps[1][2]:"Dan Kaminsky here, my apologies for kicking up a ruckus. This is part of a bot detection framework I've built at White Ops; we basically are able to detect browser automation using resources exposed in JavaScript. Nothing dangerous to users -- or we'd go file bugs on it, which we do from time to time -- but it does provide useful data regarding post-exploitation behavior. Happy to jump on a call with anyone concerned or worried; I'm over at dan@whiteops.com."[1] <a href="http://www.whiteops.com/company" rel="nofollow">http://www.whiteops.com/company</a> [2] <a href="https://isc.sans.edu/forums/STUN+traffic/745/2" rel="nofollow">https://isc.sans.edu/forums/STUN+traffic/745/2</a>

评论 #9894425 未加载

评论 #9895803 未加载

AdmiralAsshat将近 10 年前

Just a friendly reminder for anyone using uBlock Origin on Chrome or Firefox that you can now configure it to prevent webRTC from leaking your real IP:<a href="http://www.ghacks.net/2015/07/02/you-can-block-webrtc-from-leaking-your-ip-now-in-ublock-origin/" rel="nofollow">http://www.ghacks.net/2015/07/02/you-can-block-webrtc-from-l...</a>You do need to enable this. After reading the article I immediately checked by dashboard and saw that the option was available, but unchecked.

评论 #9894293 未加载

评论 #9894165 未加载

评论 #9894259 未加载

评论 #9894302 未加载

Wilya将近 10 年前

A whois on the domain serving the offending javascript leads to White Ops[0], who seems to sell tools to protect against Ad Fraud. So I'm guessing this is part of their fingerprinting system, to determine whether I am a human or a bot.[0] <a href="http://www.whiteops.com/" rel="nofollow">http://www.whiteops.com/</a>

评论 #9894247 未加载

userbinator将近 10 年前

I believe that WebRTC, just like JavaScript, should be disabled by default and enabled only on sites that you really trust and need it; and in the case of WebRTC, the argument is much stronger since its use-case is so specific.

评论 #9895869 未加载

评论 #9894806 未加载

_joev将近 10 年前

Here's a tool I wrote that grabs your internal IP and scans your LAN using response timings and HTTP asset fingerprints:Demo: <a href="http://joevennix.com/lan-js/examples/dashboard.html" rel="nofollow">http://joevennix.com/lan-js/examples/dashboard.html</a> Code: <a href="https://github.com/joevennix/lan-js" rel="nofollow">https://github.com/joevennix/lan-js</a>If you are interested and have some time, find and contribute HTTP "fingerprint" assets from devices on your LAN to src/db.js.

decasteve将近 10 年前

Ironic that loading up this site, webrtchacks.com, Tor Browser warns me: "Should Tor browser allow this website to extract HTML5 canvas image data?"I've now given up on "naked" browsing of the web and only surf via the Tor Browser Bundle. I use a standard Firefox only for web development.

评论 #9894251 未加载

joshmn将近 10 年前

I said this when the vulnerability/bug/whatever you want to call it was posted here: I use the same method for fraud detection, and it works unreasonably well.That said, I'd rather there be permissions surrounding WebRTC, but my clients are happy.

评论 #9894917 未加载

api将近 10 年前

It's easy to gather local IP addresses. WebRTC is just one of dozens of methods of doing this. Others include various DNS tricks, reverse TCP traceroute, <img> tag tricks, JavaScript/XMLHttpRequest tricks, etc. Private IP addresses (10.x.x.x) are not all that private.

评论 #9894157 未加载

评论 #9896278 未加载

评论 #9897325 未加载

joosters将近 10 年前

Can they grab local IPv6 addresses using this? While a huge number of computers are going to be on 192.168.0.1, their IPv6 address could actually be unique, making user fingerprinting easier.

评论 #9896043 未加载

x0x0将近 10 年前

there's really no way in chrome to disable webrtc? That's amazing.edit: from the horse's mouths <a href="https://code.google.com/p/chromium/issues/detail?id=457492" rel="nofollow">https://code.google.com/p/chromium/issues/detail?id=457492</a>edit2: you can install this<a href="https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml" rel="nofollow">https://chrome.google.com/webstore/detail/webrtc-leak-preven...</a>and test here:<a href="https://diafygi.github.io/webrtc-ips/" rel="nofollow">https://diafygi.github.io/webrtc-ips/</a>though google sure seems to be dragging their feet on this so I'm sure they'll break this workaround soon

评论 #9895796 未加载

评论 #9894136 未加载

proactivesvcs将近 10 年前

I recently added tagsrvcs.com to my Privoxy blocklist. Source site? ycombinator.com.

评论 #9894938 未加载

mastre_将近 10 年前

On OS X, Little Snitch catches this in Chrome, as it would in any browser <a href="https://i.imgur.com/hWmpc42.png" rel="nofollow">https://i.imgur.com/hWmpc42.png</a>

jmount将近 10 年前

WebRTC, a protocol proposed by Google to W3C has applications in user tracking and detection of bots. Cui bono.

评论 #9894466 未加载

评论 #9894516 未加载

评论 #9895256 未加载

评论 #9894468 未加载

ised将近 10 年前

www world really needs more www "browsers", particularly some more that do not implement javascript. Would it hurt to give users more choice and see what they choose?Only my opinion but there is much one can do without all the .jsI certainly do not need Javascript to fetch some newspaper articles via HTTP.

评论 #9896013 未加载

评论 #9895575 未加载

phragg将近 10 年前

So wasn't everyone up in arms about WHOIS recently but seemingly uses the service to identify who wrote this script?

评论 #9896102 未加载

评论 #9894944 未加载

btown将近 10 年前

The only possible reason I can fathom that this would be useful would be for tracking unique users behind a NAT (i.e. corporate or educational) who block all cookies. Seems like a pretty niche edge case in the U.S., but I'd imagine this could be useful in, say, the EU where cookies are opt-in by law?

评论 #9894813 未加载

评论 #9894212 未加载

beedogs将近 10 年前

Reasons to block javascript, #12395 in a series.

donohoe将近 10 年前

To be clear, its not a developer at the NYTimes that has implemented.It looks like the script in question is hosted on a domain ("tagsrvcs.com") that Adobe uses when loading JS assets for Omniture.This is very likely a standard Adobe Omniture thing. So its not the NYT acting alone (or necessarily with awareness of this).

itistoday2将近 10 年前

Why are they doing this?

评论 #9894035 未加载

评论 #9894029 未加载

dsjoerg将近 10 年前

i've had a bit to drink, can someone ELI5 this to me?

评论 #9894501 未加载

1ris将近 10 年前

In other news: If you create a IP connection the other party knows your IP-Address. With WebRTC some parts of this ugly NAT madness are gone.Nothing to see here.

评论 #9894898 未加载

jgalt212将近 10 年前

Here's another White Hat use case for local IP addresses.You can use it to unobtrusively monitor license compliance for a SaaS biz. You charge each user. A user is constantly logging on from multiple browsers during the day (e.g. IE and Chrome). With local IP knowledge you can determine whether or not this is being done from the same machine (still abiding by license terms), or from multiple machines (most likely sharing with a colleague and breaking license terms).Before this webRTC hack the only other way to do this that I am aware of, is via the dreaded Flash cookie.

评论 #9894321 未加载

评论 #9894502 未加载

评论 #9894499 未加载