Closed Bug 1169066 Opened 6 years ago Closed 6 years ago

WebRTC is leaking internal IP addresses without authorization

Categories

(Core :: WebRTC: Signaling, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 959893

People

(Reporter: BenB, Unassigned)

Details

Reproduction:
1. Go to https://diafygi.github.io/webrtc-ips/

Actual result:
* You see all your internal IP addresses
* You see your public IP address, even if you have a proxy configured and "remote dns" enabled.

Expected result:
* I see an authorization prompt (similar to the one for access to mic and webcam)
* Even then, internal IP addresses NEVER leak outside the internal network. Neither do public addresses, if I have a proxy configured.

Severity:
* This is critical for privacy. I route all my traffic through a proxy, for anonymization. This completely unveils me.
* This is currently being used in a widespread attack on routers as a vector to find the router. Reportedly, the router attack works from a browser by just visiting a website.
http://www.heise.de/newsticker/meldung/Exploit-Kit-greift-ueber-50-Router-Modelle-an-2665387.html (in German)
Thus, this fulfills the criteria for Severity: Critical
ticking and unticking security flag, to make it appear in filters. This should not be hidden, because the exploit is already public.
Group: core-security
Group: core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 959893
You need to log in before you can comment on or make changes to this bug.