
WebRTC being used on nytimes.com to report visitors' local IP addresses - KORraN
https://twitter.com/incloud/status/619624021123010560
======
rcsorensen
It looks like this is related to 'bot detection' services from
[http://www.whiteops.com/](http://www.whiteops.com/) , as White Ops is listed
as the contact on tagsrvcs.com.

The html served back includes a script tag having

    
    
      require(['http://static01.nyt.com/bi/js/tagx/tagx.js'], function () {
    
    
      http://static01.nyt.com/bi/js/tagx/tagx.js
    

loads

    
    
      http://s.tagsrvcs.com/2/818492/analytics.js?<bunch of query params>
    

which defines an 'encryption key' that is later used to 'encrypt' POST
parameters back to tagsrvcs, but looks a lot like a page load identifer,
including using it to namespace 'postbacks' later on.

    
    
      tagsrvs.com/.../analytics.js

loads
[http://s.tagsrvcs.com/2/4.10.0/loaded.js](http://s.tagsrvcs.com/2/4.10.0/loaded.js)

    
    
      tagsrvcs.com/../loaded.js
    

'postsback' to urls like
[http://s.tagsrvcs.com/2/4.10.0/818492/L0an5rrDUnnex1s8dQ4fGu...](http://s.tagsrvcs.com/2/4.10.0/818492/L0an5rrDUnnex1s8dQ4fGulx3rf9ylLyE9KR3xx.sS8xNzg1MzEzOTIwNDI2MDE0OTU-/postback?pp=www.nytimes.com&sn=Homepage&c1=http%3A%2F%2Fwww.nytimes.com%2F&ui=b0520b7ff7ef892b46638af38c513e70&dt=8184921433871988867000&ci=818492&oz_tc=L0an5rrDUnnex1s8dQ4fGulx3rf9ylLyE9KR3xx.sS8xNzg1MzEzOTIwNDI2MDE0OTU-&oz_url=http%3A%2F%2Fs.tagsrvcs.com%2F2%2F818492%2Fanalytics.js%3Fpp%3Dwww.nytimes.com%26amp%3Bsn%3DHomepage%26amp%3Bc1%3Dhttp%253A%252F%252Fwww.nytimes.com%252F%26amp%3Bui%3Db0520b7ff7ef892b46638af38c513e70%26amp%3Bdt%3D8184921433871988867000&oz_sc=6d3be991ad97580e2e7c4a70&oz_st=1436651063118&oz_v=4.10.0&oz_df=908&oz_l=814&cv=2)

(Note the 'L0an5rr...' which is the same as the 'encryption key' returned
before in the 'analytics.js' file)

This collects some fun things like WebRTC addresses, scripts loaded on the
page, and much much more, and sends them out as they become available or more
events happen.

If you'd like to investigate this information yourself, the best place to set
a breakpoint is in 'loaded.js', inside the function
'e.prototype.emitAsCORSXHR' which is responsible for 'encrypting' the payload
before transmission.

------
syntheticcdo
Why is this such a big deal? When IPv6 is ubiquitous, all IP communication
will be 1:1 anyways.

In terms of privacy, IPv4 public + private IP is equivalent to IPv6 public IP
(which every device will have).

~~~
throwaway000002
This is not, perhaps, the real concern. It seems browsers, via WebRTC, expose
all detected public addresses, so even though your default route may be
through a specific interface, the browser will probe all local interfaces and
discover all possible public IP addresses.

I'll let you figure out how this could be compromising.

------
higherpurpose
Can you stop this in Chrome yet? Can ublock origin stop it?

~~~
KORraN
In release notes for version 0.9.9.3 it says: "New privacy setting: ability to
prevent local IP address leak through WebRTC"
[https://github.com/gorhill/uBlock/releases/tag/0.9.9.3](https://github.com/gorhill/uBlock/releases/tag/0.9.9.3)

