|     |   | 
From: "Richard M. Smith" 
Newsgroups: alt.comp.virus
Subject: Security holes in Web anonymizing services
Date: Sun, 11 Apr 1999 19:12:20 -0400
Hello,
I found very serious security holes in all of the major anonymous Web
surfing services (Anonymizer, Aixs, LPWA, etc.). These security holes
allow a Web site to obtain information about users that the anonymizing
services are suppose to be hiding.  This message provides complete
details of the problem and offers a simple work-around for users until
the security holes are fixed. 
The April 8th issue of the New York Times has an article by Peter H.
Lewis in the Circuits section that describes various types of services
that allow people to anonymously surf the Web.  The article is entitled
"Internet Hide and Seek" and is available at the NY Times Web site: 
http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html
(Note, this article can only viewed if you have a free NY Times Web
account.)
The three services described in the article are:
    Anonymizer (http://www.anonymizer.com)
    Bell Labs (http://www.bell-labs.com/project/lpwa)
    Naval Research Laboratory (http://www.onion-router.net)
In addition, I found a pointer to fourth service in a security
newsgroup:
    Aixs (http://aixs.net/aixs/)
The best known of these services is the Anonymizer at www.anonymizer.com. 
However all four services basically work in the same manner.  They are
intended to hide information from a Web site when visited by a user.  The
services prevent the Web site from seeing the IP address, host computer
name, and cookies of a user.  All the services act as proxies fetching
pages from Web sites instead of users going directly to Web sites.  The
services make the promise that they don't pass private information along
to Web sites.  They also do no logging of Web sites that have been
visited. 
After reading the article, I was curious to find out how well each of
these services worked.  In particular, I wanted to know if it would be
possible for a Web site to defeat any of these systems.  Unfortunately,
with less than an hour's worth of work, I was able to get all four
systems to fail when using Netscape 4.5. 
The most alarming failures occurred with the Anonymizer and Aixs systems. 
With the same small HTML page I was able to quietly turn off the
anonymzing feature in both services. Once this page runs, it quickly
redirects to a regular Web page of the Web site.  Because the browser is
no longer in anonymous mode, IP addresses and cookies are again sent from
the user's browser to all Web servers. This security hole exists because
both services fail to properly strip out embedded JavaScript code in all
cases from HTML pages. 
With the Bell Labs and NRL systems I found a different failure.  With a
simple JavaScript expression I was able to query the IP address and host
name of the browser computer.  The query was done by calling the Java
InetAddress class using the LiveConnect feature of Netscape Navigator. 
Once JavaScript has this information, it can easily be transmitted it
back to a Web server as part of a URL. 
A demo on the use of Java InetAddress class to fetch the browser IP
address and host name can be found at: 
   http://www.tiac.net/users/smiths/js/livecon/index.htm
If you are a user of any these services, I highly recommend that you turn
off JavaScript, Java, and ActiveX controls in your browser before surfing
the Web. This simple precaution will prevent any leaks of your IP address
or cookies.  I will be notifying all 4 vendors about these security holes
and hopefully this same recommendation will be given to all users. 
If you have any questions or comments, please send them via Email. 
Richard M. Smith
smiths@tiac.net
---
 | 
 |    
 |