I recently read about an interesting browser information leak on ha.ckers.org and decided to code up a proof-of-concept.
It allows a malicious website to detect whether the user is browsing through a proxy or not by using image tags. Proxies are often used by corporations, political dissidents, and privacy conscience Internet users because they can provide additional security or anonymous Internet browsing.
Here’s how the exploit works
Firefox uses square brackets
[ ] to denote IPv6 addresses, but this notation also works to describe IPv4 addresses (I’m not sure exactly why).
So, if we embed an image with
src="http://[184.108.40.206]/pic.jpg" into a page, Firefox automatically resolves
[220.127.116.11] into the IP address
However, if the user is browsing through a proxy, this automatic resolution doesn’t happen. Instead, Firefox asks the proxy to do a DNS lookup for the “domain”
[18.104.22.168], which obviously fails since it’s not a valid domain name.
Most proxies don’t know how to handle the bracketed domain, so the DNS lookup fails. I’ve tested this on Tor (popular proxy for anonymous Internet browsing), PHP Proxy and CGI Proxy (the top two web-based proxies), and Proxify (popular commercial web proxy).
View the demo. (Works in: Firefox 3, Safari 5)
Here’s the code I wrote
<div id="proxy" style="display:none;"> You are accessing the Internet through a proxy (corporate proxy, VPN, or <a href="http://www.torproject.org/">Tor</a>). </div>
<div id="no_proxy"> You are accessing the Internet directly. No proxy. </div>
<img src="http://[22.214.171.124]/organize.jpg" style="height:0;width:0;display:none;" onerror="setUsingProxy()">
This attack only affects Firefox and Safari, as far as I can tell.
Credit for the idea, as I mentioned above, goes to Ha.ckers - Quick Proxy Detection.
Code is now available on Github.
(If you liked this, you might like How To Set Up Your Linode For Maximum Awesomeness.)