New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 834974 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 333752
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug-Security



Sign in to add a comment

Private IP address can be found using WebRTC

Project Member Reported by matta@google.com, Apr 19 2018

Issue description

UserAgent: Mozilla/5.0 (X11; CrOS x86_64 10323.67.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.209 Safari/537.36

Steps to reproduce the problem:
1. Visit http://whatismyip.com (tested on Android)
2. "Your Local IP is: 192.168.100.101"

What is the expected behavior?
Private IP addresses should not be leaked when browsing the web.

What went wrong?
Private IP address is available to any site that requests it.

Did this work before? N/A 

Chrome version: 65.0.3325.209  Channel: stable
OS Version: 10323.67.0
Flash Version:
 
Labels: -OS-Chrome OS-Android
Presumably dupe of Issue 768706.
Yup.

  function checkLocal() {
                window.RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;   //compatibility for firefox and chrome
                var pc = new RTCPeerConnection({iceServers: []}), noop = function () {
                };
                pc.createDataChannel("");    //create a bogus data channel
                pc.createOffer(pc.setLocalDescription.bind(pc), noop);    // create offer and set local description
                pc.onicecandidate = function (ice) {  //listen for candidate events
                    if (!ice || !ice.candidate || !ice.candidate.candidate) return;
                    var myIP = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(ice.candidate.candidate)[1];
                    jQuery(document).ready(function () {
                        jQuery("#local-ip").append("<li class=\"list-group-item\">Your Local IP is: " + myIP + "</li>");
                        jQuery("#local-ip").show("slow");
                    });

                    pc.onicecandidate = noop;
                };

Blocking this on Desktop requires a Chrome extension. Blocking it on Android presently isn't possible as far as I know.

Comment 4 by vakh@chromium.org, Apr 20 2018

Components: Blink>WebRTC>Network Blink>WebRTC
Mergedinto: 333752
Owner: battre@chromium.org
Status: Duplicate (was: Unconfirmed)
battre@ -- this seems like a duplicate of  Issue 333752 .
Please feel free to re-open if it is not.

Comment 5 by vakh@chromium.org, Apr 23 2018

Cc: tnagel@chromium.org

Comment 6 by tnagel@chromium.org, Apr 23 2018

Labels: -Restrict-View-SecurityTeam
I don't see anything sensitive here. Removing view restriction.
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 28

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment