Re: Serious security holes in web anonimyzing services-non html

[tbarri () AMEX-TRS COM (Toby Barrick)]

This is a multi-part message in MIME format.
--------------67C94EAD81E791EB5B4220B0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Sorry for the dual post, the first was html format.

This is more of a browser/Java issue. This not only affects annon
sevices but proxy/firewall services also!!!

Toby Barrick

Patrick Oonk wrote:
> From: "Richard M. Smith" <smiths () tiac net>
> Subject: Serious security holes in Web anonymizing services
> Date: Sun, 11 Apr 1999 19:23:25 -0400
> Newsgroups: comp.security.misc
> Organization: The Internet Access Company, Inc.
>
> Hello,
>
> I found very serious security holes in all of the major
> anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.).
> These security holes allow a Web site to obtain information about
> users that the anonymizing services are suppose to be hiding.  This
> message provides complete details of the problem and offers
> a simple work-around for users until the security holes are
> fixed.
>
> The April 8th issue of the New York Times has an article
> by Peter H. Lewis in the Circuits section that describes
> various types of services that allow people to anonymously
> surf the Web.  The article is entitled "Internet Hide and
> Seek" and is available at the NY Times Web site:
>
>     http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html
>
> (Note, this article can only viewed if you have a free
> NY Times Web account.)
>
> The three services described in the article are:
>
>     Anonymizer (http://www.anonymizer.com)
>     Bell Labs (http://www.bell-labs.com/project/lpwa)
>     Naval Research Laboratory (http://www.onion-router.net)
>
> In addition, I found a pointer to fourth service in a security
> newsgroup:
>
>     Aixs (http://aixs.net/aixs/)
>
> The best known of these services is the Anonymizer at
> www.anonymizer.com.  However all four services basically
> work in the same manner.  They are intended to hide
> information from a Web site when visited by a user.  The
> services prevent the Web site from seeing the IP address,
> host computer name, and cookies of a user.  All the services act
> as proxies fetching pages from Web sites instead of users
> going directly to Web sites.  The services make the promise
> that they don't pass private information along to
> Web sites.  They also do no logging of Web sites that
> have been visited.
>
> After reading the article, I was curious to find out how well
> each of these services worked.  In particular, I wanted to
> know if it would be possible for a Web site to
> defeat any of these systems.  Unfortunately, with less
> than an hour's worth of work, I was able to get all four
> systems to fail when using Netscape 4.5.
>
> The most alarming failures occurred with the Anonymizer and Aixs
> systems.  With the same small HTML page I was able
> to quietly turn off the anonymzing feature in both services.
> Once this page runs, it quickly redirects to a regular
> Web page of the Web site.  Because the browser is no
> longer in anonymous mode, IP addresses and cookies
> are again sent from the user's browser to all Web servers.
> This security hole exists because both services fail to properly
> strip out embedded JavaScript code in all cases from HTML
> pages.
>
> With the Bell Labs and NRL systems I found a different
> failure.  With a simple JavaScript expression I was
> able to query the IP address and host name of the
> browser computer.  The query was done by calling the
> Java InetAddress class using the LiveConnect feature
> of Netscape Navigator.  Once JavaScript has this
> information, it can easily be transmitted it back to a
> Web server as part of a URL.
>
> A demo on the use of Java InetAddress class to fetch
> the browser IP address and host name can be found at:
>
>    http://www.tiac.net/users/smiths/js/livecon/index.htm
>
> If you are a user of any these services, I highly recommend
> that you turn off JavaScript, Java, and ActiveX
> controls in your browser before surfing the Web.
> This simple precaution will prevent any leaks of
> your IP address or cookies.  I will be notifying all 4 vendors
> about these security holes and hopefully this same recommendation
> will be given to all users.
>
> If you have any questions or comments, please send them via Email.
>
> Richard M. Smith
> smiths () tiac net
>
> --
>  Patrick Oonk -    http://patrick.mypage.org/  - patrick () pine nl
>  Pine Internet B.V.           Consultancy, installatie en beheer
>  Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
>  -- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
>  Excuse of the day: bugs in the RAID
--------------67C94EAD81E791EB5B4220B0
Content-Type: text/x-vcard; charset=us-ascii;
 name="tbarri.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Toby Barrick
Content-Disposition: attachment;
 filename="tbarri.vcf"

begin:vcard
n:Barrick;Toby
tel;cell:602-790-5438
tel;fax:602-753-6549
tel;home:602-496-6507
tel;work:602-766-3705
x-mozilla-html:TRUE
url:http://www.americanexpress.com
org:American Express;DIT
adr:;;9630 N 25th Ave 4th Floor;Phoenix;AZ;85021;US
version:2.1
email;internet:tbarri () amex-trs com
title:Internet Security
note;quoted-printable:Home email:=0D=0Atbarrick () home com
x-mozilla-cpt:24.1.209.79;30144
fn:Toby Barrick
end:vcard

--------------67C94EAD81E791EB5B4220B0--