Skip to main content
SpringerLink
Log in

One Leak Is Enough to Expose Them All

From a WebRTC IP Leak to Web-Based Network Scanning

  • Conference paper
  • First Online:
Engineering Secure Software and Systems (ESSoS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 10953))

Included in the following conference series:

Abstract

WebRTC provides browsers and mobile apps with rich real-time communications capabilities, without the need for further software components. Recently, however, it has been shown that WebRTC can be triggered to fingerprint a web visitor, which may compromise the user’s privacy. We evaluate the feasibility of exploiting a WebRTC IP leak to scan a user’s private network ports and IP addresses from outside their local network. We propose a web-based network scanner that is both browser- and network-independent, and performs nearly as well as system-based scanners. We experiment with various popular mobile and desktop browsers on several platforms and show that adversaries not only can exploit WebRTC to identify the real user identity behind a web request, but also can retrieve sensitive information about the user’s network infrastructure. We discuss the potential security and privacy consequences of this issue and present a browser extension that we developed to inform the user about the prospect of suspicious activities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://nvd.nist.gov/vuln/detail/CVE-2018-6460.

  2. 2.

    We send a new request every 200 ms.

  3. 3.

    https://developers.google.com/web/updates/2017/03/background_tabs.

  4. 4.

    http://angryip.org.

  5. 5.

    http://www.advanced-ip-scanner.com.

  6. 6.

    https://www.advanced-port-scanner.com.

  7. 7.

    Distributing the work amongst more popup windows could improve the speed, but the risk that they will be noticed by the user increases as well.

  8. 8.

    https://code.google.com/archive/p/jslanscanner/.

References

  1. Zhang, M., Lu, S., Xu, B.: An anomaly detection method based on multi-models to detect web attacks. In: Computational Intelligence and Design, pp. 404–409, December 2017

    Google Scholar 

  2. Rogowski, R., Morton, M., Li, F., Monrose, F., Snow, K.Z., Polychronakis, M.: Revisiting browser security in the modern era: new data-only attacks and defenses. In: Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017, pp. 366–381 (2017)

    Google Scholar 

  3. Luangmaneerote, S., Zaluska, E., Carr, L.: Inhibiting browser fingerprinting and tracking. In: Proceedings - 3rd IEEE International Conference on Big Data Security on Cloud, BigDataSecurity 2017, 3rd IEEE International Conference on High Performance and Smart Computing, HPSC 2017 and 2nd IEEE International Conference on Intelligent Data and Securit, pp. 63–68 (2017)

    Google Scholar 

  4. Mowery, K., Shacham, H.: Pixel perfect: fingerprinting Canvas in HTML5. In: Web 2.0 Security & Privacy (W2SP), vol. 20, pp. 1–12 (2012)

    Google Scholar 

  5. Yoon, S., Jung, J., Kim, H.: Attacks on web browsers with HTML5. In: 2015 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, pp. 193–197 (2016)

    Google Scholar 

  6. Al-Fannah, N.M.: One leak will sink a ship: WebRTC IP address leaks, pp. 1–12. arXiv preprint arXiv:1709.05395 (2017)

  7. Cox, J.H., Clark, R., Owen, H.: Leveraging SDN and WebRTC for rogue access point security. IEEE Trans. Netw. Serv. Manag. 14(3), 756–770 (2017)

    Article  Google Scholar 

  8. Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication. In: Proceedings of the 32nd Annual Conference on Computer Security Applications - ACSAC 2016, pp. 289–301 (2016)

    Google Scholar 

  9. Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS 2016, no. 1, pp. 1388–1401 (2016)

    Google Scholar 

  10. Al-Fannah, N.M., Li, W.: Not all browsers are created equal: comparing web browser fingerprintability. In: Obana, S., Chida, K. (eds.) IWSEC 2017. LNCS, vol. 10418, pp. 105–120. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64200-0_7

    Chapter  Google Scholar 

  11. Reiter, A., Marsalek, A.: WebRTC: your privacy is at risk. In: Proceedings of the Symposium on Applied Computing - SAC 2017, pp. 664–669 (2017, in Press)

    Google Scholar 

Download references

Acknowledgments

We appreciate the valuable feedback from Prof. Oscar Nierstrasz, as well as all parties who kindly allowed us to carry out several tests in their private networks. We gratefully acknowledge the funding of the Swiss National Science Foundations for the project “Agile Software Analysis” (SNF project No. 200020_162352, Jan 1, 2016–Dec. 30, 2018) (http://p3.snf.ch/Project-162352). We also thank CHOOSE, the Swiss Group for Original and Outside-the-box Software Engineering of the Swiss Informatics Society, for its financial contribution to the presentation of this paper.

Author information

Authors and Affiliations

  1. Software Composition Group, University of Bern, Bern, Switzerland

    Mohammadreza Hazhirpasand & Mohammad Ghafari

Authors
  1. Mohammadreza Hazhirpasand
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Ghafari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammadreza Hazhirpasand .

Editor information

Editors and Affiliations

  1. Purdue University, West Lafayette, USA

    Mathias Payer

  2. University of Bristol, Clifton, UK

    Awais Rashid

  3. King’s College London, London, UK

    Jose M. Such

Appendix

Appendix

Table 8. The 59 ports that were banned for scanning via Javascript
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hazhirpasand, M., Ghafari, M. (2018). One Leak Is Enough to Expose Them All. In: Payer, M., Rashid, A., Such, J. (eds) Engineering Secure Software and Systems. ESSoS 2018. Lecture Notes in Computer Science(), vol 10953. Springer, Cham. https://doi.org/10.1007/978-3-319-94496-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-94496-8_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-94495-1

  • Online ISBN: 978-3-319-94496-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation