Full Disclosure mailing list archives
Re: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header
From: Adam Dodson <adam () adamdodson org>
Date: Fri, 15 Aug 2014 08:05:31 +1000
Hi, I forwarded these details to the Steganos dev team and they have just addressed this issue with a software update yesterday :) Regards, Adam
On Sun, Aug 10, 2014 at 7:45 AM, Stefan Paletta <stefanp () cabal1 net> wrote:Hi! “Steganos Online Shield VPN” claims to enhance the user’s privacy online (<https://www.steganos.com/en/products/vpn/online-shield-vpn/features/>) by, among other measures, (a) blocking advertisements in web pages, (b) blocking tracking code in web pages, and (c) replacing the browser’s “User-Agent” header with a fixed value. The measures can be enabled independent of each other and independent of other functionality of the software (e.g. use of a VPN connection). Use of any feature (a) through (c) will enable a local HTTP proxy server based on Node.js (<http://nodejs.org/>) and < https://github.com/axiak/filternet>. When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the hostname of the machine in a “Via” header like so: “Via: 1.1 foobar:8123 (Steganos Online Shield)” (where “foobar” is the local hostname). The code is this < https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L19> (think %windir%\System32\HOSTNAME.EXE) and this < https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L116.When (c) is enabled, custom code in the proxy will replace the “User-Agent” header with a fixed value and replace the “Via” header with the empty string (not remove it altogether), thereby mitigating the information leak. The machine’s hostname is usually strongly connected to the user’s identity (often containing their name). In addition to that, it is a strong distinguisher that will allow a correlation of HTTP requests as originating from the same machine (and thereby user, to some degree) even when these requests are not otherwise related in any way. When reproducing, be careful that online services echoing back your HTTP request may or may not echo a “Via” header when one is in fact present. –Stefan _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header Stefan Paletta (Aug 12)
- Message not available
- Re: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header Adam Dodson (Aug 15)
- Message not available