lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 9 Aug 2014 23:45:46 +0200
From: Stefan Paletta <stefanp@...al1.net>
To: fulldisclosure@...lists.org
Subject: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header

Hi!

“Steganos Online Shield VPN” claims to enhance the user’s privacy online (<https://www.steganos.com/en/products/vpn/online-shield-vpn/features/>) by, among other measures, (a) blocking advertisements in web pages, (b) blocking tracking code in web pages,  and (c) replacing the browser’s “User-Agent” header with a fixed value. The measures can be enabled independent of each other and independent of other functionality of the software (e.g. use of a VPN connection).

Use of any feature (a) through (c) will enable a local HTTP proxy server based on Node.js (<http://nodejs.org/>) and <https://github.com/axiak/filternet>.

When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the hostname of the machine in a “Via” header like so: “Via: 1.1 foobar:8123 (Steganos Online Shield)” (where “foobar” is the local hostname).

The code is this <https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L19> (think %windir%\System32\HOSTNAME.EXE) and this <https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L116>.

When (c) is enabled, custom code in the proxy will replace the “User-Agent” header with a fixed value and replace the “Via” header with the empty string (not remove it altogether), thereby mitigating the information leak.

The machine’s hostname is usually strongly connected to the user’s identity (often containing their name). In addition to that, it is a strong distinguisher that will allow a correlation of HTTP requests as originating from the same machine (and thereby user, to some degree) even when these requests are not otherwise related in any way.

When reproducing, be careful that online services echoing back your HTTP request may or may not echo a “Via” header when one is in fact present.

–Stefan

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ