NY Times: We Hack Everyone with Chrome, Firefox and others

[jos]

The NY Times is collecting every local IP even VPN users by taking advantage of a well documented exploit against WebRTC. The Times is even using clunky and poorly written JavaScript to carry out their attack. Using Firefox or Chrome’s Developer tools you can monitor use of internal API’s. Sure enough the NY Times is utilizing RTCPeerConnection API within Chrome and Firefox to spawn the attack. We can watch the connection in real time as they create a connection to stun:ph.tagsrvcs.com which is a Stun Server.

 

 

Mt = function() {function e() {this.addrsFound = {"0.0.0.0": 1}}return e.prototype.grepSDP = function(e, t) {var n = this;if (e) {var o = [];e.split("\r\n").forEach(function(e) {if (0 == e.indexOf("a=candidate") || 0 == e.indexOf("candidate:")) {var t = e.split(" "),i = t[4],r = t[7];("host" === r || "srflx" === r) && (n.addrsFound[i] || (o.push(i), n.addrsFound[i] = 1))} else if (0 == e.indexOf("c=")) {var t = e.split(" "),i = t[2];n.addrsFound[i] || (o.push(i), n.addrsFound[i] = 1)}}), o.length > 0 && t.queue(new y("webRTC", o))}}, e.prototype.run = function(e) {var t = this;if (c.wrip) {var n = window.RTCPeerConnection || window.webkitRTCPeerConnection || window.mozRTCPeerConnection;if (n) {var o = {optional: [{RtpDataChannels: !0}]},i = []; - 1 == w.baseDomain.indexOf("update.") && i.push({url: "stun:ph." + w.baseDomain});var r = new n({iceServers: i}, o);r.onicecandidate = function(n) {n.candidate && t.grepSDP(n.candidate.candidate, e)}, r.createDataChannel(""), r.createOffer(function(e) {r.setLocalDescription(e, function() {}, function() {})}, function() {});var a = 0,s = setInterval(function() {null != r.localDescription && t.grepSDP(r.localDescription.sdp, e), ++a > 15 && (clearInterval(s), r.close())}, 200)}}}, e}(),

Maybe they are trying to increase targeted add revenue

 

Source: http://no-adware.com/blog/ny-times-webrtc-hack/

[Trik'Stari]

Too bad the general American populous will NEVER hear of this. And even if they did, they'd be too stupid to be as outraged as they should be about it. In the end, the most we can expect is for the courts to give them a slap on the wrist fine, and then no one will ever speak of it again.

[AMICLG]

There's an easily fix for this, at least in Firefox. Just install Disable WebRTC, I've been running for at least a year now and it does work.

[burnttoastnice]

There's an easily fix for this, at least in Firefox. Just install Disable WebRTC, I've been running for at least a year now and it does work.

 

I was just about to ask how. Which config do I turn off?

[LucidMew]

I was just about to ask how. Which config do I turn off?

Follow the guide here

Chrome

There is no known working solution, only a plugin that is easily circumvented. Please use Firefox instead.

If you're an advanced user you may want to look at the Advanced options

Firefox

There is a plugin for Firefox to disable and enable WebRTC. You can download it here.

Press "+ Add to firefox" and then press "Install now". A little icon will turn up next to the address bar. It disables WebRTC by default. If you click it, it will turn grey which means WebRTC is enabled.

If you wish to manually disable or enable WebRTC you can use these instructions:

To disable

1. Enter "about:config" in the address bar and press enter
2. Press the button "I'll be careful, I promise!"
3. Type in "media.peerconnection.enabled" in the search bar (there should be only one entry)
4. Right-click the entry choose "Toggle", the column "Value" should now be "false"

To enable

1. Enter "about:config" in the address bar and press enter
2. Press the button "I'll be careful, I promise!"
3. Type in "media.peerconnection.enabled" in the search bar (there should be only one entry)
4. Right-click the entry choose "Toggle", the column "Value" should now be "true"

Advanced options

For advanced users there is the NoScript plugin for Firefox and the ScriptSafe plugin for Chrome. If you install any of these or are already using one of them you are protected for as long as you do not allow javascript on any of the websites you visit.

This allows you to make a tradeoff and allow websites that you're sure do not use WebRTC or that you're not afraid to disclose your real IP to. Be aware that these plugins break many sites if you do not allow javascript on them.

 

 

and/or install these addons (haven't looked deeply into them though.)

firefox: https://addons.mozilla.org/En-us/firefox/addon/happy-bonobo-disable-webrtc/

 

chrome: https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm?hl=en

 

 

---------

 

edit: you can test it out here

Edited July 16, 2015 by LucidMew