Bugtraq mailing list archives
Re: Serious security holes in web anonimyzing services
From: ben () ALGROUP CO UK (Ben Laurie)
Date: Thu, 15 Apr 1999 20:47:21 +0100
Patrick Oonk wrote:
With the Bell Labs and NRL systems I found a different failure. With a simple JavaScript expression I was able to query the IP address and host name of the browser computer. The query was done by calling the Java InetAddress class using the LiveConnect feature of Netscape Navigator. Once JavaScript has this information, it can easily be transmitted it back to a Web server as part of a URL.
This is not news. We (Major Malfunction and I) pointed this hole out years ago (in Jan '97 to be precise; seems even longer): http://www.alcrypto.com/java/ to quote the page: "Even the mighty anonymizer retires after the first round, nose bleeding and ego bruised." Well, you know, these guys with weird names like the flowery prose :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi
Current thread:
- Re: Serious security holes in web anonimyzing services Ben Laurie (Apr 15)
- <Possible follow-ups>
- Re: Serious security holes in web anonimyzing services Pascal DROUIN (Apr 22)