Closed Bug 1585203 Opened 4 years ago Closed 4 years ago

Serious Security Flaw shipping with Firefox, Firefox for Android, IOS

Categories

(Core :: WebRTC: Signaling, defect)

Product:
Core
Component:
WebRTC: Signaling
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 959893

People

(Reporter: admin, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Firefox for Android

Steps to reproduce:

  1. Download Firefox 69.0 or even older versions
    Go to https://browserleaks.com/webrtc

Actual results:

Firefox cleanly downloaded feeds the internal ip address of your machine on the internal network to the wan and plain text readable on the web

Expected results:

Clearly internal ip address should not be made available by default for crackers or anyone with malicious intent to have information of your internal network domain.

The culprit is WebRTC which is by default ON in firefox ! !

To fix this firefox should be shipped with
media.peerconnection.enabled FLASE
in about:config

It currently ships
media.peerconnection.enabled TRUE

By knowingly ignoring this flaw, users can be hacked consciously aided by firefox developers.

I picked this up looking for packets with my internal address on wan using snort etc.

I mean really, we know about this vulnerability since 2015!!
Why doesnt firefox fix it or at least turn webRTC off by default, so that only those wanting to use it can switch it on with knowledge of dangers !!!??

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---

How can it be resolved when firefopx right now ships with exposing the user's internal ip address to the web ??
Do you actually support the Security flaw. ?

Its closed as a duplicate, i.e. this has been reported before, see the bug 959893 (opened 6 years ago) for the lengthy discussion of the issues here.

Note in particular this comment: https://bugzilla.mozilla.org/show_bug.cgi?id=959893#c149

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago4 years ago
Component: Untriaged → WebRTC: Signaling
Product: Firefox → Core
Resolution: --- → DUPLICATE

Right... but if I go now and download firefox latest version... it STILL exposes my internal IP address.
I actually checked !!
Please consider setting
media.peerconnection.enabled FALSE
and let those who want to use webRTC have to switch it on at their own risk.

It is NOT secure having firefox passing along our internal ip addresses.
Dont you agree ?

You need to log in before you can comment on or make changes to this bug.