Bitcointalk.org would like to use your current location

[Lucius]

A few months back I got a strange notification/ad in my desktop browser, and I save ss, but forget to post about it. I browse the forum as a guest, so maybe it is some of the fake bitcointalk sites. Is this type of ad ever been available in the forum?

[1715408279]

1715408279

[1715408279]

1715408279

[TryNinja]

You were on bitcointalk.to (it has these ads). But it looks like it is down now?

BitcoinTalk doesn't have this kind of ads (only the small banner between some posts).

[Lucius]

I always use the link for bitcointalk saved in my bookmarks years ago, this is the only way that I use for login on this site. Too bad I did not save address bar to be sure, but as you say it is probably that fake .to site which is down for some time, and the domain is for sale, only $4,930. It might not be bad move for a forum to buy it?

https://uniregistry.com/market/domain/bitcointalk.to

[LTU_btc]

It's not gonna ask again if you blocked (or allowed) it. Assuming it's Chrome, go to (Lithuanian equivalents of) Settings, Site Settings, Location, find Bitcointalk under Blocked or Allowed, remove it, and try again.

No, I didn't blocked it, neither allowed it. I just closed browser tab after I saw that.

@OP haven't you experience the pop up on other websites which doesn't usually ask for your location? If it is maybe it is really related to your browser app or you might have other third party apps doing that for you in disguised of a website asking your location.

I haven't noticed anything similar on other websites recently. It might be app, but I don't have any apps on my phone which looks suspicious.

@LTU_btc were you on your usual connection to bitcointalk?

The local cable provider where I am is injecting javascript ads to http (not https) pages.

-Dave

Yeah, it was usual connection.

The feds are onto you.

LOL, Big Brother is watching.

[o_e_l_e_o]

Unless you have a good reason to allow your browser to access your location, then you should remove its permission to do so. Your browser does not need access to your location, microphone, camera, contacts, and so forth, unless you are using a specific site which requires these for whatever reason. I would advocate this for all apps and all permissions. All the most common apps ask for crazy permissions which they don't need. Amazon wants your access to your location, microphone and camera, phone status, photos and media, bluetooth access, and more. Facebook wants all that plus your calendar, your device history, your other running apps, your text messages, and more. There is absolutely no need for these apps to have these permissions, and they will work just find without them; they just want to track you. Go in to your phone's settings and start revoking all these nonsense permissions.

Imagine Cloudflare has all the logs of the IP address that you have ever used to browse your BitcoinTalk account.

The definitely do, but so does the forum, your ISP, probably your government, and so forth. If you don't want your IP address being widely broadcast, then you should be using a VPN or Tor.

[bob123]

Go in to your phone's settings and start revoking all these nonsense permissions.

Wait.. so are you telling me that my flashlight app doesn't actually need location-, calendar-, network-, microphone-, contacts- , call-, sms- and storage permission to turn on the light?

But hell.. its just a click anyway.

/s

[mprep]

Looking at the Cloudflare blog, in the past few days 2 new features have been added to their "website protection suite" or however you want to define the collection of services they provide (they released some other stuff, but from what I've gathered it isn't related to their core product) - Browser Insights and Bot Fight Mode. While neither of those should be enabled by default (at least according to both blog posts), maybe it's automatically enabled for a certain groups of customers? If that's the case, either (or both) of these features might be injecting JS into the page (the announcement of the Browser Insights feature even shows a dashboard screen of insights per geographic region).

Do note that I'm speculating but it's either that, you accidentally visiting a phishing website, your PC being infected with malware / adware or Bitcointalk getting compromised again. Hopefully it's the first one.

[bob123]

If that's the case, either (or both) of these features might be injecting JS into the page

Doesn't cloudflare also allow to upload and use own certificates for encryption between the client and the cloudflare server to not be forced to use theirs?

If that's the case, why doesn't bitcointalk use that option ?

[...] or Bitcointalk getting compromised again.

Wouldn't it be retarded by an attacker to waste such a strong position (in case of found vulnerabilities etc.) just for some JS which is highly noticeable by asking for location?
And why would only one user get this notification.

Correct me if i am wrong, but i think that this is not an indication for the system being compromised. Not at all.

[mprep]

If that's the case, either (or both) of these features might be injecting JS into the page

Doesn't cloudflare also allow to upload and use own certificates for encryption between the client and the cloudflare server to not be forced to use theirs?

If that's the case, why doesn't bitcointalk use that option ?

It does but that's only useful if you don't want to use Cloudflare's SSL certificate for some other reason aside from encryption (e.g. you have one of those fancy SSL certificates with your company name). You uploading the certificate == you giving your SSL private keys to Cloudflare (if I'm not mistaken; I haven't used the service, just did some casual research in the past). For a fully-featured DDOS mitigation service to work, said service has to be able to look at the unencrypted request (both to check it against certain basic rules as well as to detect anomalies using various machine learning methods). The uploaded certificate merely changes the web request pipeline from:

(you)----encrypted connection <CF cert>--->(CF servers)---encrypted connection <your own cert>---->(Bitcointalk servers)

to:

(you)----encrypted connection <your uploaded cert>--->(CF servers)---encrypted connection <your own cert>---->(Bitcointalk servers)

I've bolded the parts where the data being transferred (which in this case is the request to Bitcointalk's servers) is unencrypted^[1].

In a perfect (not-so-far-from-our-current-situation) world, everyone would have a DDOS-mitigation-in-a-box type of open-source application (which would be widely used and supported) as well as enough money to afford the hardware required to run it. In reality, AFAIK there is no free and open-source DDOS-mitigation-in-a-box application that'd be able to stand up to all the attacks that Cloudflare mitigates right out the box (alongside with it being constantly supported and updated to address new threats). And if you tack on the massive server costs on top of that, you can start to understand how despite the compromise in privacy, Cloudflare (and similar DDoS mitigation services) provide an amazing value proposition (especially for services less concerned with user privacy). It's either sink a ton of money and / or work and hope for the best (Bitcointalk tried this one and it worked.... till it didn't; DDoS mitigation is very much a perpetual arms race that few can keep up with once they reach a certain size), get DDoSed to hell and back (hey, you get the privacy benefits... by not being able to transmit any sort of data to the website) or use one of these services.

[...] or Bitcointalk getting compromised again.

Wouldn't it be retarded by an attacker to waste such a strong position (in case of found vulnerabilities etc.) just for some JS which is highly noticeable by asking for location?
And why would only one user get this notification.

Correct me if i am wrong, but i think that this is not an indication for the system being compromised. Not at all.

I tend to follow the methodology of never ruling something (important) out until you're 99.9% sure that isn't the case - especially when a wrongful assumption can lead to catastrophic consequences. Hacking is (usually) messy and complicated. You usually don't just sit down and "hack something" - for highly secured systems it might take months of pushing and prodding till you figure out where and how the system is vulnerable. Some of that poking and prodding might leave traces. While I'm not saying that I'm fairly certain Bitcointalk was hacked again, I prefer to cover all my bases when talking about possible causes for an issue I have very little information about.

[1] - Do note that this is the most secure configuration as encrypting the <your own cert> part of the pipeline is optional for your browser to consider the connection as "secure". It sort of is (as in it's much more likely and dangerous letting randoms intercept your request (and response) data while you beam it over your coffee shop's WiFi) but if you don't or don't want to trust the people / companies managing the infrastructure between Cloudflare and your hosting company, the high-level configuration shown in the makeshift graph is what you should use (and what I assume Bitcointalk uses).

[bob123]

While it might be possible, i believe that it is highly unlikely that a malicious person would do such a huge blunder.
I never saw or heard of a person who injects JS asking for location permission when trying to exploit something.
Mostly it is either the classic popup or something which is not noticeable at all.
Why risk getting caught when you can inject JS which isn't visible at all without further inspection of the network traffic (which no normal visitor would do anyway).

IF (which is extremely unlikely IMO) this would be indeed an attack, the attacker would have been way too bumbling to be able to achieve what is required to be in this hypothetical position to inject JS.


Most likely this was just cloudflare messing around or malware on OP's mobile. Let's see if there will be additional cases reported regarding strange behavior / pop-ups / permission requests.

[OgNasty]

Too bad I did not save address bar to be sure, but as you say it is probably that fake .to site which is down for some time, and the domain is for sale, only $4,930. It might not be bad move for a forum to buy it?

The problem with that is it encourages others to engage in the same behavior in order to receive a payoff.  Best to educate users what to look out for and expose the site for being untrustworthy.  LTU_btc should probably also update the OP to not say "Bitcointalk.org..." as that is not the case.

[bob123]

LTU_btc should probably also update the OP to not say "Bitcointalk.org..." as that is not the case.

How can you be sure about that ?

For me it seems that he indeed was browsing bitcointalk.org.

Or what explanation do you have for this behavior:

Nope, it's proper Bitcointalk, because I was signed in to my Bitcointalk when I visited this link. If it would be fake website, I would have to enter my login data to sign in.

[suchmoon]

For me it seems that he indeed was browsing bitcointalk.org.

And the screenshot clearly shows him logged in ("Report to moderator" etc), and:

I can see in the access logs that you were talking to bitcointalk.org, though.

[OgNasty]

LTU_btc should probably also update the OP to not say "Bitcointalk.org..." as that is not the case.

How can you be sure about that ?

For me it seems that he indeed was browsing bitcointalk.org.

Or what explanation do you have for this behavior:

Nope, it's proper Bitcointalk, because I was signed in to my Bitcointalk when I visited this link. If it would be fake website, I would have to enter my login data to sign in.

I can't even be sure we aren't living in a simulation.  Maybe OP is some sort of secret spy agent and the NSA hacked bitcointalk.org and inserted amateur malware to try and track his user account.

However, I think it is far more likely that the user was experiencing a bug or a dozen other possible explanations.  I'm not saying it shouldn't be investigated by the powers that be if they have the available time, only that the google result of "bitcointalk.org would like to use your current location" is probably not the most accurate one.  If the issue couldn't be reproduced and nobody else experienced it, then I think a less diabolical explanation is the likely one.  I'm no cybersecurity expert though, so feel free to take my opinion on the subject for the two satoshis it's worth.

[bob123]

[..] and the NSA hacked bitcointalk.org and inserted amateur malware to try and track his user account.

Whatever you smoke.. i want it too.  

I can't even be sure we aren't living in a simulation.

Does it even matter?  



Decide wisely..

[libert19]

I wish we (the forum) had an alternative to Cloudflare :-(

Imagine Cloudflare has all the logs of the IP address that you have ever used to browse your BitcoinTalk account. I do not question that they do not have it yet.

There's other solutions out there, but Cloudflare definitely has the monopoly within the industry. They're unfortunately the best service around in terms of uptime, speed, and features. However, there's definitely been questions about what they do with the data, and who's seeing the data. I've used Cloudflare, and haven't had too many complaints about them. Possibly if there was a decent competitor I'd give them a look though. I think I remember theymos being somewhat reluctant to using them also.

Every convenience comes with it's own problems. Pretty sure, cloudflare uses data they get from users to increase our 'convenience'. Just like Google does.