[10204] in bugtraq
Re: Serious security holes in web anonimyzing services-non html
daemon@ATHENA.MIT.EDU (Toby Barrick)
Wed Apr 14 01:19:26 1999
Date: Tue, 13 Apr 1999 17:34:28 -0700
Reply-To: Toby Barrick <tbarri@AMEX-TRS.COM>
From: Toby Barrick <tbarri@AMEX-TRS.COM>
X-To: patrick@pine.nl
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
--------------67C94EAD81E791EB5B4220B0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sorry for the dual post, the first was html format.
This is more of a browser/Java issue. This not only affects annon
sevices but proxy/firewall services also!!!
Toby Barrick
Patrick Oonk wrote:
>
> From: "Richard M. Smith" <smiths@tiac.net>
> Subject: Serious security holes in Web anonymizing services
> Date: Sun, 11 Apr 1999 19:23:25 -0400
> Newsgroups: comp.security.misc
> Organization: The Internet Access Company, Inc.
>
> Hello,
>
> I found very serious security holes in all of the major
> anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.).
> These security holes allow a Web site to obtain information about
> users that the anonymizing services are suppose to be hiding. This
> message provides complete details of the problem and offers
> a simple work-around for users until the security holes are
> fixed.
>
> The April 8th issue of the New York Times has an article
> by Peter H. Lewis in the Circuits section that describes
> various types of services that allow people to anonymously
> surf the Web. The article is entitled "Internet Hide and
> Seek" and is available at the NY Times Web site:
>
> http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html
>
> (Note, this article can only viewed if you have a free
> NY Times Web account.)
>
> The three services described in the article are:
>
> Anonymizer (http://www.anonymizer.com)
> Bell Labs (http://www.bell-labs.com/project/lpwa)
> Naval Research Laboratory (http://www.onion-router.net)
>
> In addition, I found a pointer to fourth service in a security
> newsgroup:
>
> Aixs (http://aixs.net/aixs/)
>
> The best known of these services is the Anonymizer at
> www.anonymizer.com. However all four services basically
> work in the same manner. They are intended to hide
> information from a Web site when visited by a user. The
> services prevent the Web site from seeing the IP address,
> host computer name, and cookies of a user. All the services act
> as proxies fetching pages from Web sites instead of users
> going directly to Web sites. The services make the promise
> that they don't pass private information along to
> Web sites. They also do no logging of Web sites that
> have been visited.
>
> After reading the article, I was curious to find out how well
> each of these services worked. In particular, I wanted to
> know if it would be possible for a Web site to
> defeat any of these systems. Unfortunately, with less
> than an hour's worth of work, I was able to get all four
> systems to fail when using Netscape 4.5.
>
> The most alarming failures occurred with the Anonymizer and Aixs
> systems. With the same small HTML page I was able
> to quietly turn off the anonymzing feature in both services.
> Once this page runs, it quickly redirects to a regular
> Web page of the Web site. Because the browser is no
> longer in anonymous mode, IP addresses and cookies
> are again sent from the user's browser to all Web servers.
> This security hole exists because both services fail to properly
> strip out embedded JavaScript code in all cases from HTML
> pages.
>
> With the Bell Labs and NRL systems I found a different
> failure. With a simple JavaScript expression I was
> able to query the IP address and host name of the
> browser computer. The query was done by calling the
> Java InetAddress class using the LiveConnect feature
> of Netscape Navigator. Once JavaScript has this
> information, it can easily be transmitted it back to a
> Web server as part of a URL.
>
> A demo on the use of Java InetAddress class to fetch
> the browser IP address and host name can be found at:
>
> http://www.tiac.net/users/smiths/js/livecon/index.htm
>
> If you are a user of any these services, I highly recommend
> that you turn off JavaScript, Java, and ActiveX
> controls in your browser before surfing the Web.
> This simple precaution will prevent any leaks of
> your IP address or cookies. I will be notifying all 4 vendors
> about these security holes and hopefully this same recommendation
> will be given to all users.
>
> If you have any questions or comments, please send them via Email.
>
> Richard M. Smith
> smiths@tiac.net
>
> --
> Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl
> Pine Internet B.V. Consultancy, installatie en beheer
> Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
> -- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
> Excuse of the day: bugs in the RAID
--------------67C94EAD81E791EB5B4220B0
Content-Type: text/x-vcard; charset=us-ascii;
name="tbarri.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Toby Barrick
Content-Disposition: attachment;
filename="tbarri.vcf"
begin:vcard
n:Barrick;Toby
tel;cell:602-790-5438
tel;fax:602-753-6549
tel;home:602-496-6507
tel;work:602-766-3705
x-mozilla-html:TRUE
url:http://www.americanexpress.com
org:American Express;DIT
adr:;;9630 N 25th Ave 4th Floor;Phoenix;AZ;85021;US
version:2.1
email;internet:tbarri@amex-trs.com
title:Internet Security
note;quoted-printable:Home email:=0D=0Atbarrick@home.com
x-mozilla-cpt:24.1.209.79;30144
fn:Toby Barrick
end:vcard
--------------67C94EAD81E791EB5B4220B0--
