http.Fetch can leak your street address (No, Not through your public ip)
20 replies, posted
Title got FUCKED, meant to say "public IP" [sp] Magically unfucked now [/sp]
[B][U]Currently, if your router control panel shows your MAC Address without having to login or be an admin, anyone can possibly get your street address.
So you should probably check it to be safe, most of the people (including myself) I asked are vulnerable though.[/U][/B]
[U]How it works[/U]
Anyone can scan your local network by doing http.Fetch("http://192.168.*.*") for your router IP address
If your router then exposes your MAC Address publicly then someone could use [URL="https://developers.google.com/maps/documentation/geolocation/intro"]Google's GeoLocation API[/URL] to get a very close estimate to where you live.
Although it seems easy, it's required that Google's streetview car drove by your house and logged your router after you moved in (You can probably check by just going on streetview and checking the picture date outside your house (if any) )
- Can easily be fixed by disabling local IPs in HTTP
Also make sure to patch awesomium (untested) @Willox @Rubat
-> Posted in Developer discussion cause I know there are some people here that would care to know if something like this existed and wanted to stay safe [IMG]https://cdn.frankerfacez.com/emoticon/107715/1[/IMG]
Also your router needs to be somewhat close to the street
- Apperently already found by cake from [URL="http://glua.team/"]glua.team[/URL] :(
HOLY SHIT I grabbed my neightbours MAC address and the google API was accurate to the METER. This is scary as fuck.
This literally means that any device with WiFi capabilities can locate me now. :(
Guess I can't even trust my laptop anymore. Any program could just scan for nearby wifi's see my neighbors one (and thus can get mac addresses of it) and locate me.
[b]Edit[/b]
Just tested the MAC address of my 5GHz network and that also seems to work.
Streetview shows pictures from before I moved to this house, so something else updated their database with my wifi's MAC apparently. Android hivemind anyone?
Quickest fix for routers running dd-wrt:
Check this box
[IMG]http://i.imgur.com/Payc4c5.png[/IMG]
Under administration/management
Won't change anything other than requiring a password to see the info homepage (fixing the issue described in the OP).
[QUOTE=maurits150;52174577]
HOLY SHIT I grabbed my neightbours MAC address and the google API was accurate to the METER. This is scary as fuck.
This literally means that any device with WiFi capabilities can locate me now. :(
Guess I can't even trust my laptop anymore. Any program could just scan for nearby wifi's see my neighbors one (and thus can get mac addresses of it) and locate me.
Edit
Just tested the MAC address of my 5GHz network and that also seems to work.
Streetview shows pictures from before I moved to this house, so something else updated their database with my wifi's MAC apparently. Android hivemind anyone?[/QUOTE]
Interesting, I haven't been able to find too much public info on how they obtain the addresses apart from streetview. But Android / Google phones are probably a pretty good guess
[IMG]https://i.ytimg.com/vi/-nKBWdERAw4/hqdefault.jpg[/IMG]
lol routers not vulnerable :dance:
[QUOTE=legendofrobbo;52174660]lol routers not vulnerable :dance:[/QUOTE]
[IMG]http://i.imgur.com/JMn8X8T.png[/IMG]
:s:
I'm amazed there are routers that show any kind of info without being logged in.
an easy solution for the developers to fix this is to query the dns for the ip of a domain (if applicable) then check to see if it's in the private ip address space
[editline]2nd May 2017[/editline]
or just check gateway...
Just added a firewall rule, thanks for the info.
[editline]1st May 2017[/editline]
I'm not an expert, but this seems to work. You can also specify it to only block hl2.exe and awesomium.
[img]http://i.imgur.com/TCXywoi.png[/img]
[QUOTE=wh1t3rabbit;52174688]I'm amazed there are routers that show any kind of info without being logged in.[/QUOTE]
Still probably easy to login:
user: admin
pass: password or changeme
[QUOTE=Promptitude;52175027]Still probably easy to login:
user: admin
pass: password or changeme[/QUOTE]
how'd you find out my router info?!
I am interested to know if this works because I live out in the middle of nowhere.
But I am not in a position to test it, 90:CD:B6:6A:4E:D7
Feel free to post anything you get back.
[QUOTE=The Commander;52175300]I am interested to know if this works because I live out in the middle of nowhere.
But I am not in a position to test it, 90:CD:B6:6A:4E:D7
Feel free to post anything you get back.[/QUOTE]
Commander you have to do your router not your phone's Mac address. That's not how this works!
RIP, I can't even find that information atm.
Lucky i live in a dumpster
ulx essentials v2 incoming
not only is my router not vulnerable to this for some reason the google apis can't even geolocate my mac address.
yay, i guess? :huh:
[editline]2nd May 2017[/editline]
on a complete side note making this a public api is just asking for trouble, wtf google
Hooray for basic auth.
Tried it anyways for shits and giggles, Google thinks I'm homeless (and 20min+ away from my actual location)
thanks, I guess
[QUOTE]Currently, if your router control panel shows your MAC Address without having to login or be an admin, anyone can possibly get your street address. [/QUOTE]
Basics of networking security, sir. But anyway thanks for posting this, I'll need to warn kids at my DarkRP about this [sp]and make some dirty advertising of my server >:3[/sp].
[QUOTE=Kevlon;52174477]Title got FUCKED, meant to say "public IP" [sp] Magically unfucked now [/sp]
[B][U]Currently, if your router control panel shows your MAC Address without having to login or be an admin, anyone can possibly get your street address.
So you should probably check it to be safe, most of the people (including myself) I asked are vulnerable though.[/U][/B]
[U]How it works[/U]
Anyone can scan your local network by doing http.Fetch("http://192.168.*.*") for your router IP address
If your router then exposes your MAC Address publicly then someone could use [URL="https://developers.google.com/maps/documentation/geolocation/intro"]Google's GeoLocation API[/URL] to get a very close estimate to where you live.
Although it seems easy, it's required that Google's streetview car drove by your house and logged your router after you moved in (You can probably check by just going on streetview and checking the picture date outside your house (if any) )
- Can easily be fixed by disabling local IPs in HTTP
Also make sure to patch awesomium (untested) @Willox @Rubat
-> Posted in Developer discussion cause I know there are some people here that would care to know if something like this existed and wanted to stay safe [IMG]https://cdn.frankerfacez.com/emoticon/107715/1[/IMG]
Also your router needs to be somewhat close to the street
- Apperently already found by cake from [URL="http://glua.team/"]glua.team[/URL] :([/QUOTE]
thought everyone knew about this.
some guy from some "hackercon" demoed this in gmod on stage like 2 years ago, showing that people can even bruteforce ur routers login(if u havent changed default pass), with http post request
Sorry, you need to Log In to post a reply to this thread.
