Full Disclosure mailing list archives

“Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header

From: Stefan Paletta <stefanp () cabal1 net>
Date: Sat, 9 Aug 2014 23:45:46 +0200

Hi!

“Steganos Online Shield VPN” claims to enhance the user’s privacy online 
(<https://www.steganos.com/en/products/vpn/online-shield-vpn/features/>) by, among other measures, (a) blocking 
advertisements in web pages, (b) blocking tracking code in web pages,  and (c) replacing the browser’s “User-Agent” 
header with a fixed value. The measures can be enabled independent of each other and independent of other functionality 
of the software (e.g. use of a VPN connection).

Use of any feature (a) through (c) will enable a local HTTP proxy server based on Node.js (<http://nodejs.org/>) and 
<https://github.com/axiak/filternet>.

When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the hostname of the machine in a “Via” header like 
so: “Via: 1.1 foobar:8123 (Steganos Online Shield)” (where “foobar” is the local hostname).

The code is this <https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L19> 
(think %windir%\System32\HOSTNAME.EXE) and this 
<https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L116>.

When (c) is enabled, custom code in the proxy will replace the “User-Agent” header with a fixed value and replace the 
“Via” header with the empty string (not remove it altogether), thereby mitigating the information leak.

The machine’s hostname is usually strongly connected to the user’s identity (often containing their name). In addition 
to that, it is a strong distinguisher that will allow a correlation of HTTP requests as originating from the same 
machine (and thereby user, to some degree) even when these requests are not otherwise related in any way.

When reproducing, be careful that online services echoing back your HTTP request may or may not echo a “Via” header 
when one is in fact present.

–Stefan

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

“Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header Stefan Paletta (Aug 12)
- Message not available
  - Re: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header Adam Dodson (Aug 15)