ITsecurity
twitter facebook rss

JavaScript: New Privacy/Security Threat

Posted by on June 13, 2014.

 

Recently, a developer I know reasonably well contacted me to show me a new JavaScript library he had written which exposes information on all network adapters and connections on a PC.

This code was able to detect -all- network adapters along with the IP addresses assigned to them including virtual adapters. This means that internal and external (addressable and non-addressable) IP addresses are discoverable via JavaScript (including IP addresses for Virtual Private Networks).

This is a very serious situation – not only does it create network security issues but it can also be used to add entropy to server side fingerprinting for the purpose of tracking users across the world wide web.

The developer is a Director at Wolf Software in the UK and the version of the JavaScript file I tested was encoded so I have asked him to disclose the vulnerability so I can have it fixed in a web browser I am currently developing but also so that the public can be made aware and other browser developers can fix it as well. Let me make it very clear – JavaScript should NOT be able to gain access to the network stack in this fashion, the security and privacy risks are severe.

However, after a lengthy discussion with the developer he is refusing to release details of the vulnerability and is instead choosing to take the route of “Security by Obscurity” and his argument is (and I quote):

no one else in the world knows how to do what I do, so no one else can do it so the risk is already mitigated in general

First of all, I seriously doubt that is the case – there are a lot of incredibly smart people out there and the chances are this vulnerability has been discovered by others and may already be in the wild and being used to compromise security and privacy.

Secondly, security by obscurity is never an acceptable answer to such threats for exactly the reason above.

So I am going public with this information now, because it needs to be disclosed. I am asking JavaScript experts out there to investigate this vulnerability and go public with it so that it can be fixed.

UPDATE

So far the following browsers have been found to be vulnerable to this exploit:

Mozilla Firefox v 30.0

Google Chrome v 35.0.1916.153 m

Chromium v 31.1.0.0

 

The following browsers are NOT vulnerable to this exploit:

Internet Explorer 11

TOR Browser  3.6.2-Windows

Safari 5.1.7 for Windows

Safari for iOS 7 (iPhone – unable to check iPad)

 

UPDATE (18th June)

So it seems that Wolf Software’s javascript library is utilising HTML5’s WebRTC which is a project by Mozilla and Google to allow real time communications between browsers (think Video Conferencing without plugins).  Wolf Software’s Director’s belief that he is the only person in the world who knows how to do this, is actually quite wrong and there is an interesting blog explaining some of the ways WebRTC can be abused here.

WebRTC is only available in newer Chrome/Chromium (including Chrome for Android) and Firefox builds and is therefore not currently an issue in Safari or Internet Explorer but it does create some serious privacy and security risks as outlined in the blog I linked to in the last paragraph.

As such, this author believes that WebRTC should be disabled by default to mitigate such risks and only be turned on should users explicitly request it – however, given the advantages this gives Google and Mozilla for cross device tracking, I am not going to hold my breath on them making these changes.

My thanks to Mike O’Neill at BayCloud Systems for his work over the past couple of days on figuring out how Wolf Software are doing this.


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

2 thoughts on “JavaScript: New Privacy/Security Threat

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Alexander Hanff, Expert Views, News, News_malware, News_privacy, News_vulnerabilities | Tags: , , ,