Re: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header

[Adam Dodson <adam () adamdodson org>]

Hi,

I forwarded these details to the Steganos dev team and they have just
addressed this issue with a software update yesterday :)

Regards,
Adam

> On Sun, Aug 10, 2014 at 7:45 AM, Stefan Paletta <stefanp () cabal1 net>
> wrote:
>
> > Hi!
> >
> > “Steganos Online Shield VPN” claims to enhance the user’s privacy online
> > (<https://www.steganos.com/en/products/vpn/online-shield-vpn/features/>)
> > by, among other measures, (a) blocking advertisements in web pages, (b)
> > blocking tracking code in web pages,  and (c) replacing the browser’s
> > “User-Agent” header with a fixed value. The measures can be enabled
> > independent of each other and independent of other functionality of the
> > software (e.g. use of a VPN connection).
> >
> > Use of any feature (a) through (c) will enable a local HTTP proxy server
> > based on Node.js (<http://nodejs.org/>) and <
> > https://github.com/axiak/filternet>.
> >
> > When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the
> > hostname of the machine in a “Via” header like so: “Via: 1.1 foobar:8123
> > (Steganos Online Shield)” (where “foobar” is the local hostname).
> >
> > The code is this <
> > https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L19>
> > (think %windir%\System32\HOSTNAME.EXE) and this <
> > https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L116
> > > .
> >
> > When (c) is enabled, custom code in the proxy will replace the
> > “User-Agent” header with a fixed value and replace the “Via” header with
> > the empty string (not remove it altogether), thereby mitigating the
> > information leak.
> >
> > The machine’s hostname is usually strongly connected to the user’s
> > identity (often containing their name). In addition to that, it is a strong
> > distinguisher that will allow a correlation of HTTP requests as originating
> > from the same machine (and thereby user, to some degree) even when these
> > requests are not otherwise related in any way.
> >
> > When reproducing, be careful that online services echoing back your HTTP
> > request may or may not echo a “Via” header when one is in fact present.
> >
> > –Stefan
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/