[10238] in bugtraq
Re: Serious security holes in web anonimyzing services
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Apr 16 14:46:39 1999
Date: Thu, 15 Apr 1999 20:47:21 +0100
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: patrick@pine.nl
To: BUGTRAQ@NETSPACE.ORG
Patrick Oonk wrote:
> With the Bell Labs and NRL systems I found a different
> failure. With a simple JavaScript expression I was
> able to query the IP address and host name of the
> browser computer. The query was done by calling the
> Java InetAddress class using the LiveConnect feature
> of Netscape Navigator. Once JavaScript has this
> information, it can easily be transmitted it back to a
> Web server as part of a URL.
This is not news. We (Major Malfunction and I) pointed this hole out
years ago (in Jan '97 to be precise; seems even longer):
http://www.alcrypto.com/java/
to quote the page: "Even the mighty anonymizer retires after
the first round, nose bleeding and ego bruised." Well, you know, these
guys with weird names like the flowery prose :-)
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
