Abstract
WebRTC provides browsers and mobile apps with rich real-time communications capabilities, without the need for further software components. Recently, however, it has been shown that WebRTC can be triggered to fingerprint a web visitor, which may compromise the user’s privacy. We evaluate the feasibility of exploiting a WebRTC IP leak to scan a user’s private network ports and IP addresses from outside their local network. We propose a web-based network scanner that is both browser- and network-independent, and performs nearly as well as system-based scanners. We experiment with various popular mobile and desktop browsers on several platforms and show that adversaries not only can exploit WebRTC to identify the real user identity behind a web request, but also can retrieve sensitive information about the user’s network infrastructure. We discuss the potential security and privacy consequences of this issue and present a browser extension that we developed to inform the user about the prospect of suspicious activities.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
We send a new request every 200 ms.
- 3.
- 4.
- 5.
- 6.
- 7.
Distributing the work amongst more popup windows could improve the speed, but the risk that they will be noticed by the user increases as well.
- 8.
References
Zhang, M., Lu, S., Xu, B.: An anomaly detection method based on multi-models to detect web attacks. In: Computational Intelligence and Design, pp. 404–409, December 2017
Rogowski, R., Morton, M., Li, F., Monrose, F., Snow, K.Z., Polychronakis, M.: Revisiting browser security in the modern era: new data-only attacks and defenses. In: Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017, pp. 366–381 (2017)
Luangmaneerote, S., Zaluska, E., Carr, L.: Inhibiting browser fingerprinting and tracking. In: Proceedings - 3rd IEEE International Conference on Big Data Security on Cloud, BigDataSecurity 2017, 3rd IEEE International Conference on High Performance and Smart Computing, HPSC 2017 and 2nd IEEE International Conference on Intelligent Data and Securit, pp. 63–68 (2017)
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting Canvas in HTML5. In: Web 2.0 Security & Privacy (W2SP), vol. 20, pp. 1–12 (2012)
Yoon, S., Jung, J., Kim, H.: Attacks on web browsers with HTML5. In: 2015 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, pp. 193–197 (2016)
Al-Fannah, N.M.: One leak will sink a ship: WebRTC IP address leaks, pp. 1–12. arXiv preprint arXiv:1709.05395 (2017)
Cox, J.H., Clark, R., Owen, H.: Leveraging SDN and WebRTC for rogue access point security. IEEE Trans. Netw. Serv. Manag. 14(3), 756–770 (2017)
Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication. In: Proceedings of the 32nd Annual Conference on Computer Security Applications - ACSAC 2016, pp. 289–301 (2016)
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS 2016, no. 1, pp. 1388–1401 (2016)
Al-Fannah, N.M., Li, W.: Not all browsers are created equal: comparing web browser fingerprintability. In: Obana, S., Chida, K. (eds.) IWSEC 2017. LNCS, vol. 10418, pp. 105–120. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64200-0_7
Reiter, A., Marsalek, A.: WebRTC: your privacy is at risk. In: Proceedings of the Symposium on Applied Computing - SAC 2017, pp. 664–669 (2017, in Press)
Acknowledgments
We appreciate the valuable feedback from Prof. Oscar Nierstrasz, as well as all parties who kindly allowed us to carry out several tests in their private networks. We gratefully acknowledge the funding of the Swiss National Science Foundations for the project “Agile Software Analysis” (SNF project No. 200020_162352, Jan 1, 2016–Dec. 30, 2018) (http://p3.snf.ch/Project-162352). We also thank CHOOSE, the Swiss Group for Original and Outside-the-box Software Engineering of the Swiss Informatics Society, for its financial contribution to the presentation of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Hazhirpasand, M., Ghafari, M. (2018). One Leak Is Enough to Expose Them All. In: Payer, M., Rashid, A., Such, J. (eds) Engineering Secure Software and Systems. ESSoS 2018. Lecture Notes in Computer Science(), vol 10953. Springer, Cham. https://doi.org/10.1007/978-3-319-94496-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-94496-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94495-1
Online ISBN: 978-3-319-94496-8
eBook Packages: Computer ScienceComputer Science (R0)