208 comments

[ 2.8 ms ] story [ 248 ms ] thread
While visiting this page it tryed to open my router's admin panel. Anyone see this too?
There is literally a "network scan" section of the page that informs you it's scanning devices in your local network.

That's why you see webrtc requests to internal IP addresses. I do not see any requests to the router admin panel, and in fact it looks like the code specifically avoids sending a webRTC request to the gateway IP (x.y.z.1)

Scanning the visitor's /24 without notice, warning, or opportunity to opt out is a dick move. Our IDS probably just lit up like a Christmas tree.
Yup. I have a honeypot on my home network that hits Twilio when it gets poked at. So the author at least got my phone to light up.
That sounds awesome, care to share a few more details?
I actually locked myself out except for console access, so some of this is from memory/Googling:

1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)

2. Change iptables default policy to DROP

3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio

4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)

5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)

6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'

7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host

>I actually locked myself out

Hate it when that happens to me...every week.

Very smart!

Just my 2 cents, but I feel like there might be some commercial demand for something like this if you'd ever consider packaging it.

At least you know it's working!

But yeah, I echo the other commenter wanting to know more about how you set that up.

Sorry! Didn't think about that. It is fixed.
You should leave it in, if the whole point is to demonstrate the capabilities.

It's incredible that a webpage can do that.

Agreed - good on OP to raise awareness.
I think a button would be more appropriate. Not everyone reads HN on a network they control and port scanning one's neighbors can lead to some unpleasant conversations.
Maybe it's good that more conversations around this are started so that eventually this critique is upstreamed loud enough to the browser vendors.
> It's incredible that a webpage can do that.

How so? Any site you navigate to knows your IP, and can take action based on that.

This isn't based on external IP. This is using JavaScript to make requests inside your LAN.
Yeah I feel like samy.pl demonstrated this years ago, freaked me out and I have been running noscript ever since :D
Weirdly it's wrong for me, there's LAN IPs on the list that don't exist, and it's missing ones that do. Firefox on Ubuntu, with uBlock Origin, over WiFi.
You should also fix the copy. You have "To prevent your browser from accessing your Device Orientation use NoScript." appear twice, the second time under "Network Scan".

Congrats on the page!

Thanks for the bug report! It is fixed ;)
And what are methods to prevent browser from leaking all this information? I presume browsing in private mode is not a solution.
There should be some flags in the browser configuration to turn off or lie about some of these things. Or NoScript.
Shut off javascript.

Yes, this will reveal sites that serve broken pages that require javascript to render usually static content (skipping progressive enhancement is lazy and unprofessional). Are those sites worth the expense of everyone learning more fingerprintable data about your and your browser?

The WebRTC scan that others are complaining about is another good reason to shut off javascript. Are other sites doing similar scans, perhaps in a less obvious way? It is insane that random pages even have that ability; it's a huge attack surface that is mostly unknown and unexplored.

> private mode

That's mostly about not leaving data trails on the local device (hence the "porn mode" nickname).

It breaks all the single page apps. Javascript isn't the problem. Its browsers features like canvas, webrtc, etc.
> (skipping progressive enhancement is lazy and unprofessional)

Single page apps are definitely in the "lazy" category. If you send a page without content, that page is broken. You should be prioritizing the safety of your readers.

If developing proper pages is difficult with your develop0ment tools or methods, then you should find a different method - ideally something that handles the progressive enhancement for you.

I started to add some information/advice to every section on how to prevent the regarding type leak.

It would be great to hear your suggestions on how to improve both the advices!

Unfortunately that means disabling JavaScript.
> Geo Coordinates: [lat,lng about 90 miles from the correct location]

I find that error hilarious, because I setup correct in-addr.arpa and ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name that has an accurate LOC record. My IP is two DNS queries away from my location (~10m precision), yet most of the time everyone uses these geoip databases instead of LOC.

Because you are literally the only one ever who has done this.
I found it shockingly accurate -- it gave the address of a house I can see out my window. I'm on an entirely wired connection, so I know it's not doing it via any sort of wi-fi location, but perhaps my ISP lays out IPs very predictably or something.
Mine is 30km off. The address is a farm 3km from the headquarters of my ISP.
Mines about 400 miles off - I'm in Scotland and it put me in london
Holy crap, I'm glad I have noscript running and only allow the minimal JS I need to run on pages I somewhat trust.
Yes, it's the first addon I install on a new browser. Can't recommend it enough.
While it hardly surprises any of HN audience, it's a GREAT showcase for a less technical audience.

I see that you removed automatic network scanning due to a comment here; but since it's an educational project, I think it would be valuable to add a comment that explains that a malicious website could get that info without consent.

> Your Device is propably laying on a Table

I'm one of those heathens that actually puts the desktop tower on top of the desk. Got me.

Your desktop has a gyroscope?
No, and the website reported as such. I guess if you have no motion/orientation sensors of any kind it just guesses it's on a table.
Sorry for the confusion. Don't take this interpretation too serious. It just for fun ;)
Odd. I went there using a desktop and it didn't report that my device was on a table.
Me too, my tower is in fact "laying" not standing, on a table. Just as an aside, this declaration should read. Your Device is "probably", not propably.
Not much of interest showed up for me. Monitor resolution, browser ID, geo location, OS and public IP.

My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in both IE11 and Edge (both of which I never use), and I got pretty much the same result. Firefox and Epiphany on Gentoo Linux also failed to startle me.

I'd like to see a screenshot of a "worst case scenario".

> Not much of interest showed up for me. Monitor resolution, browser ID, geo location, OS and public IP.

Are you saying it showed your geo location without having prompted for it, and that you're OK with that?

I meant whatever DB they use to get location from an IP address.
> I meant whatever DB they use to get location from an IP address.

They aren't using GeoIP lookups. Google runs a service that uses Javascript to try to provide a more accurate position than GeoIP can.

This is a perfect example of what an attacker could do with your browser. If you can get a user's browser to run code, as this site demonstrates there is a lot of information you can find. And coupled with a Cross-Site Request Forgery, you could get access to a bunch of things. If your home router has a vulnerability that bypasses authentication and allows you to execute commands on the router or similar (which is not uncommon, home router security is awful), you could get a foothold into the network just by sending someone a email with links that they are likely to click on.

Note to the author: I am not entirely sure how the WebRTC connection gets you a local IP, it seems to be connecting to stun:stun.services.mozilla.com. Anyway,that grabs the wrong local address for me, and gets the IP of my docker0 interface, perhaps it could grab more IPs, or is it just displaying the first one it finds?

Edit: Oh, the getIP function just calls the callback on the first candidate it finds.

If you try this with your iPhone it activates your gyroscope and says "Your Device is probably in your Hands."

It knows too much

It gets worse

Reading keystrokes from a nearby keyboard using the gyroscope http://www.cc.gatech.edu/fac/traynor/papers/traynor-ccs11.pd...

Speech Recognition using the gyroscope http://www.wired.co.uk/news/archive/2014-08/15/gyroscope-lis...

Not just a problem with webpages, apps that don't have access to your mic do have access to your gyroscope

One possible solution is to not allow gyroscope reading above say 20hz without user permission (for both apps and webpages)

should not be possible to read any phone sensors without permission!
Between NoScript and Random Agent Spoofer, nothing is correct except my resolution and a couple of plug-ins (like Flash and VLC).

Shutting NoScript off doesn't make too much difference, and I don't think RAS does that much (some sites seem to see through it), so it must be one of the other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).

Ironically, not using those plugins is a fingerprint in and of itself.
For some reason, this worked really badly when I tried it. About the only things it figured out were that I run Linux on an x86_64 system and use Firefox. Well, it did get my ISP right, so that pretty much limits my location to a single country. Even my display resolution was not right. It did find quite a few devices on my network. All of them non-existent, though.
Your browser can not connect with the other devices, unless they run a webserver. This scanner can just detect if there are any devices.
The social media thing is cool, I didn't know that trick of using the favicon.ico img under the login of a site to see if the image will load or not. That's pretty nifty
Might still need some work though:

Chromium 49. The only place I am logged into is Reddit

> Twitter: logged in > Facebook: logged in > Google Plus: logged in > Reddit: logged in > Flickr: logged in

That's an old one. You can see browsing history, if persistent caching is enabled.
The network scanning thing is both scaring and revealing. I never thought about that, thanks!
I found it interesting that it could read my battery level and discharging time. As for device orientation, I think I've seen that before but I had forgotten about it being possible.
Would be good for targeted ads for mobile charging stations. "Battery running low? Charge up opposite starbucks for $1. Look behind you!"
I visited the page once on my Android using my HN app's built-in webkit browser, where it displayed some interesting stats like the location, the battery level, ISP, etc.

I opened the same link in Firefox Android with uBlock Origin installed, and got no hardware stats other than the kernel, no software stats, and no IP.

My takeaway from this is to NEVER use an app that uses Webkit.

I'm not sure if that was the intended purpose, but thanks for the eye-opener anyway!

My takeaway would've been; use some sort of protection, like NoScript, uBlock, etc. The choice of web-browser engine seems less important when you globally allow javascript or other similar capabilities.
This is true, but on Android this is not possible on Chrome or the default webkit browser, as Google doesn't allow extensions. So my point still stands.
> My takeaway from this is to NEVER use an app that uses Webkit

You're talking about WebKit on android, which was ported there by Google.

The original WebKit (as WebKit, not khtml) browser (Safari) doesn't leak all that information, so my take away would be not to trust a company obsessed with collecting private information and pushing all things into a browser, to have the best track record when it comes to protecting your privacy.

Something about visiting the page seems to knock my Android phone off of Verizon's data network for a short period.
Thanks for the nice demonstration. Looks like the speed test is running of a very random source image that might not be yours. If it isn't, you might want to look at hosting your own image for it.
OS X 10.11.4:

Safari 9.1 : Minimal HW/SW detection, No social media leak, No network scan (after click)

Safari 9.1.1 (Tech Preview) : Minimal HW/SW detection, No social media leak, No network scan (after click)

Chrome 49.0.2623.110 : Full HW/SW detection, Social media login detected, Network scanning (after click)

Firefox 45.0.1 : Full HW/SW detection, Social media login detected, Network scanning (after click)

Wow. Safari is so strict, but I wonder if that's because Safari is (my assumption) a less fat browser after all.
Or just the browser with the least amount of funding tied to advertising.
And that's why so many sites break with it.
When the parts that break are leaking user hardware and network information, I'll take the break thanks.
It isn't like there is no legitimate use case for these technologies. It's just that they are accessible without any supervision.
And I'd rather not have them than accept the glaring security and privacy issues of having them without user permission.
No network scan is because Safari does not support WebRTC
do you have adblocking or ghostery on one or more of your browsers?
no ghostery on any browser

On Safari 9.1.1 TP : no addons

On Safari 9.1 : AB (getadblock.com)

On Firefox : uBO / No "NoScript" (for testing)

On Chrome : uBO

Safari 9.1 and 9.1.1 leaked my social media logins. Also 9.1.1 said "MacIntel, 4 cores" while 9.1 left out the amount of cores.

Also, my machine only has two physical cores, so 9.1.1 leaked physical + virtual

Interestingly after visiting this page the default language on the Google Accounts sign-in had been changed to German.
Not sure why battery is exposed; I guess that's the result of making browsers more like OSes.

The only really annoying thing is the idiotic WebRTC settings. Their love for "data channels" with zero prompts, despite having no legitimate uses[1], ignores your proxy settings. This should be fixed.

1: I asked someone involved with WebRTC. They suggested "maybe a page wants to communicate with your fridge directly" as a serious use of WebRTC data channels.

There are some really cool uses of webrtc data channels. e.g. https://webtorrent.io/
Yeah, and that's also a great example of what should NOT be allowed without the user's EXPLICIT permission - simply visiting a link should not result in a torrent download!
Simply visiting a link downloads dozens, sometimes hundreds of files without your explicit permissions. It simply uses a different protocol.
No, it doesn't just use a different protocol. It ignores your network settings (proxy) and exposes your local network information.

I can understand not wanting to scare people with "Allow P2P Data Channel", but ignoring proxy settings and revealing all IPs is unacceptable. WebRTC folks toss off these concerns with "there's no way to prevent tracking so heh".

Visiting a link exposes also a lot on default. Browser, OS, Resolution. The major browsers are not build for this needs. Best experience first. BTW: There are extensions to block webrtc ip leak.
> Visiting a link exposes also a lot on default.

We should be reducing the amount of data exposed and fixing the mistakes of the past that allowed so much data to be easily exfiltrated.

> Best experience first.

"Best" is not a defined term. What software developers should (always) be providing is the safest method first. Fancy UI tricks are a far lower priority than safety. If there is any doubt, fail safely.

Anybody that isn't putting safety first is being incredibly irresponsible. Stop leaking data and design for safety and security first. Yes, this it will be harder to make a nice user experience. In time, this will improve, but in the meantime safety is not something that can simply be ignored.

> extensions

Safety is not an optional feature that only some people should have.

It's bad that it ignores network settings.

But that's orthogonal to whether it's torrenting. You can torrent while respecting network settings, and without exposing local IPs.

Simply visiting a YouTube link should result in the video to start streaming right away though?

How will you know that a download is desired or not?

<video> tags are a more standardized part of the web. Although I should be able to disable auto-buffering as well as auto-play.

Ideally the user can control whether all types of content get loaded—images, CSS, JavaScript, web fonts—or even allow/deny individual domains or files, but so far browsers require an extension like uMatrix for that.

The fact that some browsers do allow you to control these things, even if you have to use an extension because they don't support it themselves, is crucially important and totally acceptable. AFAIK there is nothing equivalent to NoScript for IE, however, so that's just one of many reasons I don't use it.

I don't really mind the trend in browsers over the last several years to give explicit access to more OS resources, it frees us from both Flash and Java Applets, Adobe's PDF reader, and other crap. But I'm not sure the browser replacements, at least in the short term, will actually get the security models any better. Is there any reason to prefer all these new JS APIs over allowing a Java Applet, besides "Java Applets are insecure"? It's certainly not performance -- I know many people chuckle when someone demos the latest X in JS (with or without WebGL) where X was done better with less hardware years ago via an applet. Secure or not, it's incredibly difficult to actually run an applet these days, and it's a strange disconnect with how the browser is fine doing so much else without warning. Will we see a similar increase in difficulty for running JS that can be just as insecure?

I've been a NoScript and adblock advocate for many years, but the first is often met with alien stares and the second is only successful when I install it on their browser myself or when I'm recommending adblocking to either other technical people or people who really hate ads even on TV. There's a weird resistance some people have that can get brought up in both cases, though, and it's probably going to take more than a few big public fails due to malicious websites before people will stop bringing it up. The argument adblocking users have been making for ages: this is my computer, my browser, and neither is under any obligation to act in a particular way based on the contents of what your server sends me. I don't like your ads? I can choose not to see them. I don't trust your JS? I can choose not to execute it. I don't like your theme? I can load my own. It's very weird to me that people oppose this view.

Do you use NoScript in everyday? I think while it would make those annoying APIs go away, the web site experience would became a bit poor and even not work properly.
> Simply visiting a YouTube link should result in the video to start streaming right away though?

I hate that. Is there a reliable way to turn that behavior off?

If you're Firefox user go to 'about:config' and set 'media.autoplay.enabled' to false
To know that arbitrary netcode can run silently on the background of my browser is really surprising. And not in a good way.
https://snapdrop.net is also a cool use of webrtc ;)
Is the wink because of the 502?
No, it's an app of mine and up again. Thanks a lot for telling me it was down!
Multiplayer gaming is a legitimate use of data channels, but I don't see why it couldn't prompt for permission.
WebRTC folks insist prompts will confuse people and be bad. But ignoring explicit networking settings is good, somehow.
Acceptable default but one should be able to enable prompts as a less-confused user.
I am not sure if this battery is not just FUD and some other sections as well. Because I currently have no battery in my laptop (no battery detected) and site is saying "Charging: charging", "Battery level: 100%", "Charging time: 0h"
More likely, battery detection is just a little broken, like most of the supercharged, application delivery platform, content-powered Web 2.0.
My desktop system is saying the exact same thing.

The page also thinks my system is flat on a table. Close; the screens are, while the tower's on the floor :P

Works quite well on my phone.
Oh so it works on mobile phones then, not laptops.
It made a correct reading for my laptop (Macbook).
It was spot on for my phone at 85% and charging
Just like with mobile apps, battery info can help websites decide whether they should run a complex operation now. It also helps detect regressions if a commit happens to suck power faster. Unfortunately, it's more bits available to deanonymize users across websites.

Data channels are useful for synchronizing your phone and your laptop. All native platforms support this. Most websites do it with a roundtrip to the server. So it would be mysterious to the user why a permission is prompted for something that should just work. Obviously it's bad for privacy though.

So painting it as having no legitimate uses is a bit one-sided. There is no easy fix.

What websites do CPU-intensive work that can be delayed for hours?

In general I want a website to suck as much power as possible so it can be done sucking power as soon as possible, whether I'm on battery or not. If you want to find waste, track execution time and bandwidth use.

I'm not sure I understand your point. Many apps (would) benefit from delaying some tasks and waiting to be on charge and a wifi connection. Typically, synchronization for example requires the device to be awake for a long period because of network roundtrips, transfers, disk seeks and CPU work. Software updates are similarly impactful on the battery.

At least, it makes sense to measure battery usage to optimize your code. And in my opinion, it's also beneficial to react to battery events (delay when on low battery, process when on a wall socket) and network events (bad coverage vs. strong wifi).

I'ts funny with WebRTC, because I rememeber when the same could be accomplish with Java applets (Java ignored any proxy settings, which allowed to deanonynimize people on the internet, e.g. it no longer mattered if you were behind TOR if you had Java enabled). I think it was considered security bug and was patched later. Seems that WebRTC people are not so security-wise I suppose...
Ok, so it doesn't know anything but my OS and screen resolution. Seems good to me, considering I'm not using NoScript and the like.
I'm not quite sure what this is meant to prove - all of what was revealed for me seems tame. Is it meant to scare users to disable JS?
Yes. And WebGL, and WebRTC.
(comment deleted)