[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header
From: Stefan Paletta <stefanp@xxxxxxxxxx>
Date: Sat, 9 Aug 2014 23:45:46 +0200

Hi!

“Steganos Online Shield VPN” claims to enhance the user’s privacy online 
(<https://www.steganos.com/en/products/vpn/online-shield-vpn/features/>) by, 
among other measures, (a) blocking advertisements in web pages, (b) blocking 
tracking code in web pages,  and (c) replacing the browser’s “User-Agent” 
header with a fixed value. The measures can be enabled independent of each 
other and independent of other functionality of the software (e.g. use of a VPN 
connection).

Use of any feature (a) through (c) will enable a local HTTP proxy server based 
on Node.js (<http://nodejs.org/>) and <https://github.com/axiak/filternet>.

When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the 
hostname of the machine in a “Via” header like so: “Via: 1.1 foobar:8123 
(Steganos Online Shield)” (where “foobar” is the local hostname).

The code is this 
<https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L19>
 (think %windir%\System32\HOSTNAME.EXE) and this 
<https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L116>.

When (c) is enabled, custom code in the proxy will replace the “User-Agent” 
header with a fixed value and replace the “Via” header with the empty string 
(not remove it altogether), thereby mitigating the information leak.

The machine’s hostname is usually strongly connected to the user’s identity 
(often containing their name). In addition to that, it is a strong 
distinguisher that will allow a correlation of HTTP requests as originating 
from the same machine (and thereby user, to some degree) even when these 
requests are not otherwise related in any way.

When reproducing, be careful that online services echoing back your HTTP 
request may or may not echo a “Via” header when one is in fact present.

–Stefan

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CS-Cart v4.2.0 Session Hijack and Other Vulnerabilities
Next by Date: [FD] Beginners error: QuickTime for Windows runs rogue program C:\Program.exe when opening associated files
Previous by thread: [FD] CS-Cart v4.2.0 Session Hijack and Other Vulnerabilities
Next by thread: Re: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header
Index(es):
- Date
- Thread