top | item 44170126

(no title)

matthberg | 9 months ago

A comment I wrote in another HN thread [0] covering this issue:

Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.

There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.

Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].

I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.

That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.

0: https://news.ycombinator.com/item?id=44170099

1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...

2: https://nullsweep.com/why-is-this-website-port-scanning-me/

3: https://addons.mozilla.org/firefox/addon/port-authority

4: https://github.com/ACK-J/Port_Authority

5: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

discuss

JimDabell|9 months ago

There is a specification for blocking this:

https://wicg.github.io/private-network-access/

It gained support from WebKit:

https://github.com/WebKit/standards-positions/issues/163

…and Mozilla:

https://github.com/mozilla/standards-positions/issues/143

…and it was trialled in Blink:

https://developer.chrome.com/blog/private-network-access-upd...

Unfortunately, it’s now on hold due to compatibility problems:

https://developer.chrome.com/blog/pna-on-hold

matthberg|9 months ago

Yep! Unfortunately its main method (as far as I remember from when I first read the proposal at least, it may do more) is adding preflight requests and headers to opt-in, which works for most cases yet doesn't block behind-the-lines collaborating apps like mentioned in the main article. If there's a listening app (like Meta was caught doing) that's expecting the requests, this doesn't do much to protect you.

EDIT: Looks like it does mention integrating into the permissions system [0], I guess I missed that. Glad they covered that consideration, then!

0: https://wicg.github.io/private-network-access/#integration-p...

bakkoting|9 months ago

Both Firefox [0] and Chrome [1] are working on successors which rely on permissions prompts instead of preflight requests.

[0] https://groups.google.com/a/mozilla.org/g/dev-platform/c/B8o...

[1] https://groups.google.com/a/chromium.org/g/blink-dev/c/CDy8L...

account42|9 months ago

> There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472)

I would not consider this a legitimate use. Websites have no business knowing what apps you have installed.

matthberg|9 months ago

I agree, yet at least you can kind of see where they're coming from.

I guess a better example would be the automatic hardware detection Lenovo Support offers [0] by pinging a local app (with some clear confirmation dialogs first). Asus seems to do the same thing.

uBlock Origin has a fair few explicit exceptions made [1] for cases like those (and other reasons) in their filter list to avoid breakages (notably Intel domains, the official Judiciary of Germany [2] (???), `figma.com`, `foldingathome.org`, etc).

0: https://pcsupport.lenovo.com/

1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...

2: https://github.com/uBlockOrigin/uAssets/issues/23388 and https://www.bundesjustizamt.de/EN/Home/Home_node.html (they're trying to talk to a local identity verification app seems like, yet I find it quite funny)

robin_reala|9 months ago

Zoom got busted for something similar five years ago now: https://www.zdnet.com/article/zoom-defends-use-of-local-web-...

account42|9 months ago

IMO browsers should not just block the request but block the whole website with one of those scary giant red banners if something like this is attempted. If all websites get for trying to work around privacy protections is that their attempts might not succeed then there is little incentive not to try.

unknown|9 months ago

[deleted]

xrisk|9 months ago

Your DNS server not resolving to localhost may also serve as an additional line of defense.

h43z|9 months ago

What does this have to do with the issue here? A website can just connect to 127.0.0.1 , no DNS needed.

I think what you are thinking of are dns rebinding attacks.