Closed Bug 1169066 Opened 9 years ago Closed 9 years ago

WebRTC is leaking internal IP addresses without authorization

Categories

(Core :: WebRTC: Signaling, defect)

Product:
Core
Component:
WebRTC: Signaling
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 959893

People

(Reporter: BenB, Unassigned)

Details

Reproduction:
1. Go to https://diafygi.github.io/webrtc-ips/

Actual result:
* You see all your internal IP addresses
* You see your public IP address, even if you have a proxy configured and "remote dns" enabled.

Expected result:
* I see an authorization prompt (similar to the one for access to mic and webcam)
* Even then, internal IP addresses NEVER leak outside the internal network. Neither do public addresses, if I have a proxy configured.

Severity:
* This is critical for privacy. I route all my traffic through a proxy, for anonymization. This completely unveils me.
* This is currently being used in a widespread attack on routers as a vector to find the router. Reportedly, the router attack works from a browser by just visiting a website.
http://www.heise.de/newsticker/meldung/Exploit-Kit-greift-ueber-50-Router-Modelle-an-2665387.html (in German)
Thus, this fulfills the criteria for Severity: Critical
ticking and unticking security flag, to make it appear in filters. This should not be hidden, because the exploit is already public.
Group: core-security
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.