Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

[Security] DNS rebinding attack against webtorrent #12616

Closed
diracdeltas opened this issue Jan 12, 2018 · 5 comments · Fixed by #13844
Closed

[Security] DNS rebinding attack against webtorrent #12616

diracdeltas opened this issue Jan 12, 2018 · 5 comments · Fixed by #13844
Assignees
@diracdeltas @tildelowengrimm
Labels
security
Milestone
0.24.x-legacy

Comments

@diracdeltas
Copy link
Member

our webtorrent integration may be vulnerable to the DNS rebinding attack described in transmission/transmission#468. the torrent server uses CORS but it doesn't check the Host header.

impact: remote sites may see what a user is torrenting
@diracdeltas diracdeltas self-assigned this Jan 12, 2018
@diracdeltas diracdeltas added this to the 0.20.x (Beta Channel) milestone Jan 12, 2018
@diracdeltas diracdeltas added the needs-investigation A bug not 100% confirmed/fixed that needs QA to better audit. label Jan 12, 2018
diracdeltas added a commit to diracdeltas/webtorrent that referenced this issue Jan 12, 2018
@diracdeltas
Add hostname option to mitigate DNS rebinding
eea73a3 
This adds the `hostname` opt to allow the server to validate the `Host` header of incoming requests to prevent DNS rebinding attacks. Needed for brave/browser-laptop#12616.
@diracdeltas diracdeltas mentioned this issue Jan 12, 2018
Merged
@diracdeltas diracdeltas removed the needs-investigation A bug not 100% confirmed/fixed that needs QA to better audit. label Jan 22, 2018
@diracdeltas
Copy link
Member Author

this does affect webtorrent but the impact is relatively low - the attacker can see the torrented files. however this is usually possible for torrents anyway (unless you're using a private tracker) since the attacker can just join the swarm.

@diracdeltas
Copy link
Member Author

general issue: #12671

@bsclifton
Copy link
Member

Still waiting on merge upstream... moving to tentative 0.20.x hotfix 1 milestone

@bsclifton bsclifton modified the milestones: 0.20.x (Beta Channel), 0.20.x Hotfix 1 Jan 23, 2018
@alexwykoff alexwykoff modified the milestones: 0.20.x Hotfix 3 (Ledger improvments), Backlog (Prioritized) Feb 6, 2018
@diracdeltas diracdeltas mentioned this issue Feb 13, 2018
Merged
10 tasks
@diracdeltas diracdeltas modified the milestones: Backlog (Prioritized), 0.24.x (master) Mar 14, 2018
@diracdeltas
Copy link
Member Author

upstream webtorrent fix has been merged, we need to add an option to webtorrent-remote though: dcposch/webtorrent-remote#9.

@feross
Copy link
Contributor

feross commented Apr 11, 2018
edited
Loading

I think the hostname option can be specified by the webtorrent-remote user and it will be passed through to webtorrent.

You can see how opts from torrent.createServer(opts) gets passed through in this commit where it was added: dcposch/webtorrent-remote@5b0cec4

So, the solution to this should just be to change Brave's torrent.createServer(opts) call to include a opts.hostname option, unless I'm missing something.

@feross feross mentioned this issue Apr 11, 2018
Closed
diracdeltas added a commit that referenced this issue Apr 16, 2018
@diracdeltas
Send hostname option to webtorrent to mitigate DNS rebinding
cf39b26 
fix #12616
@diracdeltas diracdeltas mentioned this issue Apr 16, 2018
Merged
10 tasks
@feross feross mentioned this issue Jul 30, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@diracdeltas diracdeltas

@tildelowengrimm tildelowengrimm

Labels
security
Projects
None yet
Milestone
0.24.x-legacy
Development

Successfully merging a pull request may close this issue.

Send hostname option to webtorrent to mitigate DNS rebinding brave/browser-laptop
5 participants
@feross @diracdeltas @tildelowengrimm @alexwykoff @bsclifton