New issue
Advanced search Search tips

Issue 813119 link

Starred by 3 users
Status: Duplicate
Merged: issue 333752
Owner: ----
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Via Android Security External Reports: "Private IP leak using WebRTC"

Project Member Reported by mikelogan@google.com, Feb 16 2018 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
==============================================================================
This security vulnerability report comes from an external researcher and was submitted via Android Security External Reports.
=============================================================
Android Internal Bug: https://buganizer.corp.google.com/issues/73301617
=============================================================

Issue details:

[Original report]
Dear Team, 

I am using webkit version 64.0.3282.137, however using the well know property of WebRTC function an attacker could retrieve user's private IP address

Attaching the code for your reference, request you to please have a look.

Demo URL: www.ch3114.com/getip.html


Thank you 

-------------------------
[ASDL response]
Hello,

Please note that this channel is for reporting security vulnerabilities on the Android platform. If you are reporting an issue in accordance with Google's VRP, please report this issue at https://www.google.com/about/appsecurity/reward-program/.

If you believe this to be a vulnerability on the Android platform, the Android security team would like some additional information in order to accurately assess the impact of this report.

Can you please provide us a proof of concept (as an attachment) in order to verify this report?
Can you clarify what "the well know property of WebRTC function" means?
Can you please provide more details on how this can be exploited, including detailed steps for reproduction?
What device did this issue occur on?
What version of Android did this issue occur on?
What Security Patch Level (Settings > About Phone) did this issue occur on?

Thank you,
Android Security Team
-------------------------
[Reporter response]
Dear Team, 

Can you please provide us a proof of concept (as an attachment) in order to verify this report?
Please find attached, the webkit leaks the private IP address of the user. (Apologises for such PoC but if we use Android Webkit and Navigate to www.ch3114.com/getip.html its leaks Private IP address as shown below)

Can you clarify what "the well know property of WebRTC function" means?
In browsers/webkit there is a property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.

Can you please provide more details on how this can be exploited, including detailed steps for reproduction?
There are multiple attack scenario of this, 
1.  Attacker could retrieve the Private IP address of the user and if they are on same network this information will help him to perform further attack on victims.
2.  Attacker on different network can collect IP address of the remote user and such information will help attacker to perform targeted attacks, apart from that which class of IP's are used by remote user or an organisation.

What device did this issue occur on?
I am able to replicate this issue in LYF Mobile and Nokia 8

What version of Android did this issue occur on?
LYF Mobile which i used is of Android 6.0.1 and Nokia 8 is of Android 8.0.0
 
What Security Patch Level (Settings > About Phone) did this issue occur on?
On LYF the Patch Level is of October 1, 2016 and 
On Nokia 8 Patch Level is of 1 February 2018

Request you to please have a look,

Thank you
-------------------------
===============================================
Discovery Notes:

Researcher has only submitted two other security issues, both web-related.
Those issues were No Repro and NSI respectively.
Despite the name of the .jpg, it's not really a PoC.
Website link provided by researcher has not been vetted.

===============================================

INTERNAL ASSESSMENT:

[Pre-triage note]: Working as Intended. I guess the researcher is referring to RTCPeerConnection property. 
Browser's WebRTC implementation allows requests to STUN servers which returns local and public IP address.

[TRIAGE] +1 to WAI, this appears to be deliberate behavior for WebRTC. We should also forward this to Chrome to confirm our understanding, because even if this is real, it isn't Android.


VERSION
Chrome Version: 64.0.3282.137 webkit
Operating System: LYF Mobile Android 6.0.1 and Nokia 8 is of Android 8.0.0
PoC.jpg
5.8 MB View Download

Comment 1 by elawrence@chromium.org, Feb 16 2018

Components: Blink>WebRTC>PeerConnection
Labels: OS-Android
Mergedinto: 333752
Status: Duplicate (was: Unconfirmed)
This is  Issue 333752
Project Member

Comment 2 by sheriffbot@chromium.org, May 26 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment