Covert Web-to-App Tracking via Localhost on Android(localmess.github.io)

260 pointsby todsacerdoti3 days ago4 comments

fsflover3 days ago
Related: https://news.ycombinator.com/item?id=44169115
- tomhow3 days ago
  Comments moved thither. Thanks!
- metadat3 days ago
  Thanks! Macro-expanded:
  Meta and Yandex are de-anonymizing Android users' web browsing identifiers - https://news.ycombinator.com/item?id=44169115 (4 hours ago, 126 comments)
matthberg3 days ago
A comment I wrote in another HN thread [0] (though this one was the original):
Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.
There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.
Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].
I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.
That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.
0: https://news.ycombinator.com/item?id=44170126
1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
2: https://nullsweep.com/why-is-this-website-port-scanning-me/
3: https://addons.mozilla.org/firefox/addon/port-authority
4: https://github.com/ACK-J/Port_Authority
5: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
johannes12343213 days ago
Is there any reason for "normal" applications (not when people use a phone as a web server on purpose etc.) to listen to incoming connections? To me seems like something which should be blocked behind those well hidden developer options or similar and nothing an app can easily do.
JimDabell3 days ago
(Also posted this in the other thread: https://news.ycombinator.com/item?id=44170351)
There is a specification for blocking this:
https://wicg.github.io/private-network-access/
It gained support from WebKit:
https://github.com/WebKit/standards-positions/issues/163
…and Mozilla:
https://github.com/mozilla/standards-positions/issues/143
…and it was trialled in Blink:
https://developer.chrome.com/blog/private-network-access-upd...
Unfortunately, it’s now on hold due to compatibility problems:
https://developer.chrome.com/blog/pna-on-hold
- 3 days ago
  undefined