Twitter | Pretraživanje | |
Davy Wybiral
A practical demo of privacy violation using local service detection on a website for product recommendations.
Reply Retweet Označi sa "sviđa mi se" More
Davy Wybiral 7. lip
Odgovor korisniku/ci @davywtf
Btw it also works in the private "Tor" mode of Brave
Reply Retweet Označi sa "sviđa mi se"
Davy Wybiral 7. lip
Odgovor korisniku/ci @davywtf
Added detection of some common development software like MongoDB, ElasticSearch, Redis, and MySQL.
Reply Retweet Označi sa "sviđa mi se"
Davy Wybiral 7. lip
Odgovor korisniku/ci @davywtf
And detecting when a media player is opened by the visitor by inspecting the DAAP port used by iTunes/Rhythmbox/Amarok
Reply Retweet Označi sa "sviđa mi se"
Davy Wybiral 8. lip
Odgovor korisniku/ci @davywtf
To be clear: this isn't a bug in Brave. It works in Firefox and Chrome too. It is, in fact, the expected behavior of web browsers to allow TCP requests on localhost from any website you visit. Just used for obnoxious/evil purposes in this case.
Reply Retweet Označi sa "sviđa mi se"
Davy Wybiral 8. lip
Odgovor korisniku/ci @davywtf
Cool, you can also detect that your visitors have Dropbox installed...
Reply Retweet Označi sa "sviđa mi se"
Steve Phillips 8. lip
Odgovor korisniku/ci @davywtf
Someone should do one where the page's JS pulls data from MongoDB, says it analyzed it, and links them to some Amazon product (using a tracking commission link, of course).
Reply Retweet Označi sa "sviđa mi se"
Davy Wybiral 8. lip
Odgovor korisniku/ci @elimisteve
Luckily the requests are in "opaque" mode so the page shouldn't be able to actually read the response body. But they can ping localhost servers and send data to them.
Reply Retweet Označi sa "sviđa mi se"
Davy Wybiral 8. lip
Odgovor korisniku/ci @dnoiz1 @dollarvpnclub
If you visit that site with all of the trackers are replaced with GIFs of dogs skateboarding! Thanks DollarVPNClub!
Reply Retweet Označi sa "sviđa mi se"
Aaron Larner 7. lip
Odgovor korisniku/ci @davywtf
Very clever, any recommendations for protecting against this sort of thing?
Reply Retweet Označi sa "sviđa mi se"
Davy Wybiral 8. lip
Odgovor korisniku/ci @alarner
I hear the uMatrix plugin can block localhost access, maybe some other content blockers. But, yeah, unless browser vendors stop seeing this as a feature and start seeing it as an issue that's probably the only way.
Reply Retweet Označi sa "sviđa mi se"