
Show HN: Get your local and public IP addresses in JavaScript - diafygi
https://github.com/diafygi/webrtc-ips
======
joshmn
I use this exact method for fraud detection. 99% of the time, carders " " will
simply load up a proxy in Firefox/Chrome (usually a socks5) and fire away.
They typically don't tunnel their whole connection through the proxy, just
their browser.

If their request IP doesn't match up with this IP, there's a very high chance
that the order will is fraudulent.

~~~
sauere
Not that i'm a expert. But i think only amateurs would be so foolish. Nearly
all open proxys out there forward the clients real IP in the HTTP X-FORWARDED-
FOR header.

~~~
joshmn
In a former life, I was an expert.

HTTP proxy is not a SOCKS4 is not a SOCKS5. :)

What they'll do is buy from a proxy shop " " \- usually someone(s) with a
botnet and a lot of clients on that botnet - so the IPs are residentials.
vip72.com is a popular one. They do provide a client which will allow you to
tunnel your entire system through the proxy, but it's not required for use
(and some people are wary of it)

------
throwaway125
This can be disabled in firefox's about:config page by setting
media.peerconnection.enabled to false.

The problem with disabling all these features on a case by case basis is that
you contribute to a richer fingerprint this way. Browsers will become
increasingly more vulnerable to fingerprinting and there doesn't seem to be a
way to stop it without going back to the dark ages of the web.

~~~
userbinator
I just disable JS by default and whitelist the (very few, currently) sites
that absolutely need it.

That probably means I share the same fingerprint as everyone else using the
same browser with JS disabled.

~~~
hobs
User-Agent still changes, and since people enable it for various sites, you
can try to load it from different domains and see what is blocked/loaded.

------
trainbeeps
If you use Chrome and a Tor SOCKS proxy, get ready for a big surprise.

Edit: owfffjaqvllmh4zi.onion reveals true IP addresses when using Chrome
through Privoxy and Tor chain.

~~~
jwise0
That is an important piece of information, but viewers be advised: _that page
has a non-work-safe background and is NOT exactly a copy of the GitHub demo
page (and has other obfuscated JavaScript running on it)_.

------
hbbio
This was already shown January 7th by:

[http://jsfiddle.net/alokmenghrajani/0qo4kq7x/](http://jsfiddle.net/alokmenghrajani/0qo4kq7x/)

~~~
amenghra
There are some interesting comments in the hackernews thread I started:
[https://news.ycombinator.com/item?id=8859350](https://news.ycombinator.com/item?id=8859350)

------
mtmail
"Additionally, these STUN requests are made outside of the normal
XMLHttpRequest procedure, so they are not visible in the developer console or
able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes
these types of requests available for online tracking [...]"

So the extra effort to get around adblockers?

~~~
hackcasual
You can see it in: chrome://webrtc-internals/

------
donatj
Its particularly interesting in that it gets ALL my local ip addresses. This
seems quite dangerous. Could they just start probing around my local network
or does cross domain stuff kick in?

~~~
doktrin
I don't see how. WebRTC may leak your local IP, but that doesn't mean someone
outside your local network can interact with it (without compromising a
machine on said network).

~~~
tonyarkles
If your router is vulnerable to XSS or something like it, an attacker can
probably guess its IP pretty easily (x.x.x.1).

Edit: I realized I didn't take this to its full conclusion. Guess the router's
IP, exploit XSS to open ports on the router to your machine (JS knows your
local IP already), carry on escalating from there.

~~~
doktrin
That's a great point. You're 100% correct. Can you recommend any good reading
on offensive security?

~~~
bestham
You could have a look at Samy Kamkars talk "How I met your girlfriend" at
Blackhat 2010:
[https://www.youtube.com/watch?v=O5xRRF5GfQs&ab_channel=killa...](https://www.youtube.com/watch?v=O5xRRF5GfQs&ab_channel=killab66661)

------
binwiederhier
Holy cow. Browser devs seem to become crazier by the minute. Combine this with
the lack of a same-origin policy in the JavaScript websocket API and you can
really poke around in the local network.

~~~
geofft
There's no SOP in the JS websocket API because websockets are a newly-designed
protocol specifically for the use case of being called from JS. If you have
websocket servers on your local network (... although, why?) they know they
should be checking origin.

~~~
jessaustin
_If you have websocket servers on your local network..._

Maybe those aren't common, but it's very common to have something that looks
just like one (speaks HTTP on port 80), which is called a web server. That
might be embedded in your router or other device, or it may be a configuration
interface for your POS, or it might be hiding in some other dark and unpatched
corner that was formerly hidden behind a firewall. Of course it would be nice
if the server simply doesn't respond (while writing alarms to the log) when it
sees an _Upgrade: websocket_ header, but can we be sure that all our hidden
servers are so well-behaved?

~~~
geofft
The intention of the WebSocket protocol is that the handshake is sufficiently
unlike HTTP that nobody could make a _meaningful_ response to it by mistake.

As for non-meaningful responses, isn't this equivalent to using <img
src="[http://192.168.1.1/admin?action=evil">](http://192.168.1.1/admin?action=evil">)
to send an HTTP request? That's also not restricted by same-origin, and never
has been and never will be. You get the same result -- you cause an HTTP
request to be sent somewhere, and the response isn't useful to you nor is the
contents of the response visible to you, but the request and its side effects
still happen.

I'm not super well-versed in websocket design, so I'm happy to be convinced
I'm wrong, but that's my understanding of why it works the way it does.

~~~
jessaustin
Ahhh, you're right. I guess this just ends up being another way of
"fingerprinting" the hosts on the local network, which really is kind of
minor.

------
mattaustin
This is the bug from goole about a year ago saying it is by design.
[https://code.google.com/p/chromium/issues/detail?id=333752](https://code.google.com/p/chromium/issues/detail?id=333752)

------
The_Fox
The demo reported 192.168.56.1 as a local IP. Now they know I have VirtualBox
installed. I wonder what other IPs can leak information about common apps and
network configs.

------
droithomme
The concept is useful, but the API with its need for all these asynchronous
callbacks, really sucks donkey balls.

------
benmorris
This is pretty good timing. I got an email from Braintreepayments this week
that I needed to implement some code changes for fraud detection and paypal
before march. Upon integrating this code I noticed some odd data being sent
back:
[https://www.braintreepayments.com/docs/ruby/general/fraud_to...](https://www.braintreepayments.com/docs/ruby/general/fraud_tools)

It turns out that this script must employ this techinque. After inspecting the
requests in chrome Dev tools it appears all my private ips were being
collected and sent over the wire back to Braintree (or whatever company is
hosting their fraud detection).

------
totony
Does not work on Firefox Developer edition 37.0a2

media.peerconnection.enabled is set to true

EDIT: hbbio's jsfiddle works

~~~
diafygi
What is in in the about:config for "media.peerconnection.default_iceservers"?
They could have removed the default STUN server.

~~~
abbeyj
This error message in the console looks like it indicates the problem:
TypeError: Not enough arguments to mozRTCPeerConnection.setLocalDescription.
webrtc-ips:72:20

According to the docs, the error callback is not optional.

------
snake_plissken
Is there a specific reason stun.services.mozilla.com cannot be pinged
successfully? Is this by design?

Edit: Apparently it is by design; ICMP ECHOs are blocked by default on AWS
instances, on which stun.services.mozilla.com [54.172.47.69] is running.
[http://aws.amazon.com/articles/1145?_encoding=UTF8&jiveRedir...](http://aws.amazon.com/articles/1145?_encoding=UTF8&jiveRedirect=1#18)

------
desdiv
Let's have a quick survey:

1\. Are you currently using WebRTC in any projects?

2\. Are you planning on using WebRTC in the future?

3\. Do you think that WebRTC should be enabled by default in browsers?

~~~
contingencies
1\. No / 2\. No / 3\. Yes, with explicit permission and warnings every time.

------
josteink
Fails in Firefox nightly with the following errors:

    
    
        This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] webrtc-ips
        TypeError: Not enough arguments to mozRTCPeerConnection.setLocalDescription.
    

Here's me hoping they're addressing these concerns already.

------
szimek
I've been using it for almost a year on sharedrop.io (p2p file transfer app)
to distinguish peers in the same local network. The code I'm using for finding
local IP comes from [http://net.ipcalf.com](http://net.ipcalf.com). The app
even allows you to select your local IP in case you got more than one, e.g.
because of VPN.

------
olalonde
Wow, seems like a big privacy issue. Does this mean that VPNs soon won't be
effective for masking your IP?

~~~
The_Fox
No. Your public IP has always been available to a Javascript developer who
knows enough to write a one-line PHP script that prints
$_SERVER['REMOTE_ADDR'] (as an example). This just makes it available via
another protocol.

The new bit is that you can now get local IPs. But that doesn't help someone
trying to figure out if you're using a VPN.

~~~
olalonde
> Your public IP has always been available to a Javascript developer who knows
> enough to write a one-line PHP script that prints $_SERVER['REMOTE_ADDR']
> (as an example).

The demo shows both my USA VPN IP address and my China Telecom IP address
under "public addresses" (I strongly doubt this was possible before WebRTC).
This means that Hulu, YouTube, Netflix etc. can now start blocking me even
when I'm behind a VPN.

------
nfriedly
I set up
[http://ip.nfriedly.com/json?callback=foo](http://ip.nfriedly.com/json?callback=foo)
a while ago - it's available if anyone is interested in a simpler version that
also works for older browsers.

~~~
madeofpalk
When you're on the command line:

    
    
        curl ifconfig.me

~~~
nfriedly
Nice! I didn't mention that
[http://ip.nfriedly.com/text](http://ip.nfriedly.com/text) works too, but I
like the ipconfig.me domain name.

------
blueskin_
Doesn't work for me, thankfully. The funny thing is, I have enough different
privacy and security addons that I don't even know which one is protecting me
here (best bet is possibly NoScript, even though I allowed scripts on that
page).

------
aikah
I hope webrtc isn't authorized by default by browsers.I want to give explicit
consent.It should even have been that way for ajax requests.

~~~
slang800
What makes AJAX requests dangerous?

~~~
slg
Some people just want to know about any data their browser is sending server
side. In the old days, your browser would not do anything without you making a
conscious action. Widespread AJAX use changed that so your browser could be
sending information to a server without any oversight. That lack of oversight
isn't inherently dangerous, but certainly has potential for exploitation.

~~~
eknkc
You could always send information using javascript by loading images, hidden
iframes etc. (You would not get a meaningful response though). This applies to
dark old days even before JS..

~~~
hrjet
Great point. Lately we have been reconsidering the request manager matrix
shown in gngr. It was inspired by HTTPSwitchBoard's matrix, that has a
separate column for XHR.

However, like you pointed out, there are other ways than XHR to leak data if
JS is enabled.

If JS is not enabled, the kinds of data that can be leaked is fewer (perhaps
screen resolution and size).

Would welcome expert comments on our issue tracker:
[https://github.com/UprootLabs/gngr/issues/90](https://github.com/UprootLabs/gngr/issues/90)

------
xyby
Why do I have two public IP addresses?

~~~
jenscow
It assumes anything other than 10.* and 192.168.* are public.

[https://github.com/diafygi/webrtc-
ips/blob/master/index.html...](https://github.com/diafygi/webrtc-
ips/blob/master/index.html#L83)

