|
@davywtf | |||||
|
A practical demo of privacy violation using local service detection on a website for product recommendations.
wybiral.github.io/wtf/ pic.twitter.com/hVGrNdwLom
|
||||||
|
||||||
|
Davy Wybiral
@davywtf
|
7. lip |
|
Btw it also works in the private "Tor" mode of Brave pic.twitter.com/nrZcPoTtt5
|
||
|
|
||
|
Davy Wybiral
@davywtf
|
7. lip |
|
Added detection of some common development software like MongoDB, ElasticSearch, Redis, and MySQL. pic.twitter.com/MXYDvCcciB
|
||
|
|
||
|
Davy Wybiral
@davywtf
|
7. lip |
|
And detecting when a media player is opened by the visitor by inspecting the DAAP port used by iTunes/Rhythmbox/Amarok pic.twitter.com/tIL2Xrkp61
|
||
|
|
||
|
Davy Wybiral
@davywtf
|
8. lip |
|
To be clear: this isn't a bug in Brave. It works in Firefox and Chrome too.
It is, in fact, the expected behavior of web browsers to allow TCP requests on localhost from any website you visit. Just used for obnoxious/evil purposes in this case.
|
||
|
|
||
|
Davy Wybiral
@davywtf
|
8. lip |
|
Cool, you can also detect that your visitors have Dropbox installed... pic.twitter.com/xL6U1IosMy
|
||
|
|
||
|
Steve Phillips
@elimisteve
|
8. lip |
|
Someone should do one where the page's JS pulls data from MongoDB, says it analyzed it, and links them to some Amazon product (using a tracking commission link, of course).
|
||
|
|
||
|
Davy Wybiral
@davywtf
|
8. lip |
|
Luckily the requests are in "opaque" mode so the page shouldn't be able to actually read the response body. But they can ping localhost servers and send data to them.
|
||
|
|
||
|
Davy Wybiral
@davywtf
|
8. lip |
|
If you visit that site with @dollarvpnclub all of the trackers are replaced with GIFs of dogs skateboarding! Thanks DollarVPNClub!
|
||
|
|
||
|
Aaron Larner
@alarner
|
7. lip |
|
Very clever, any recommendations for protecting against this sort of thing?
|
||
|
|
||
|
Davy Wybiral
@davywtf
|
8. lip |
|
I hear the uMatrix plugin can block localhost access, maybe some other content blockers. But, yeah, unless browser vendors stop seeing this as a feature and start seeing it as an issue that's probably the only way.
|
||
|
|
||