Total Pageviews

Sunday, 8 March 2015

支持WebRTC协议的Chrome和Firefox浏览器被曝光存在严重漏洞

What this does
Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

FROM  https://github.com/diafygi/webrtc-ips

 Demo: https://diafygi.github.io/webrtc-ips/
This demo secretly makes requests to STUN servers that can log your request. These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.).

 VPN被认为是非常安全的网络匿名方法,但最近爆出它并不如人们认为的那样安全,只要在网站上放上一段简单的代码,就可以准确地测出浏览者的真实IP地址,这被称为WebRTC特征。只要到这个网页https://diafygi.github.io/webrtc-ips,就可以测试你的VPN是否泄露你的真实IP.

 1月29日,支持WebRTC协议的Chrome和Firefox浏览器被曝光存在严重漏洞。利用该漏洞,网站可以通过WebRTC协议的STUN请求获取用户的真实IP地址,即使用户使用了网络代理

相关帖子:

如何修复WebRTC安全漏洞