T8493 Posted August 6, 2016 Share Posted August 6, 2016 (edited) GateHub wallet contains the following function which can enumerate user's private IP addresses according to RFC 1918 (for example, 192.168.x.x). It uses STUN protocol that is supported by WebRTC Web API. However, this API is intended for voice and video calls. GateHub doesn't use voice and video calls for anything (support, etc.) and so it is not clear why would they need private IP addresses at all. https://signin.gatehub.net/resources/js/ips.js Questions for @gatehub : Why do you need private IP addresses? Why are private addresses not mentioned on your Privacy Policy page? Which section of TOS or privacy policy covers private IP addresses? Which data controllers/processors store these private IP addresses and for how long? If this code is intended for testing, then it should not be in production code. //get the IP addresses associated with an account function getIPs(callback){ var ip_dups = {}; //compatibility for firefox and chrome var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection; var useWebKit = !!window.webkitRTCPeerConnection; //bypass naive webrtc blocking using an iframe if(!RTCPeerConnection){ //NOTE: you need to have an iframe in the page right above the script tag // //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe> //<script>...getIPs called in here... // var win = iframe.contentWindow; RTCPeerConnection = win.RTCPeerConnection || win.mozRTCPeerConnection || win.webkitRTCPeerConnection; useWebKit = !!win.webkitRTCPeerConnection; } //minimal requirements for data connection var mediaConstraints = { optional: [{RtpDataChannels: true}] }; var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]}; //construct a new RTCPeerConnection var pc = new RTCPeerConnection(servers, mediaConstraints); function handleCandidate(candidate){ //match just the IP address var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/ var ip_addr = ip_regex.exec(candidate)[1]; //remove duplicates if(ip_dups[ip_addr] === undefined) callback(ip_addr); ip_dups[ip_addr] = true; } //listen for candidate events pc.onicecandidate = function(ice){ //skip non-candidate events if(ice.candidate) handleCandidate(ice.candidate.candidate); }; //create a bogus data channel pc.createDataChannel(""); //create an offer sdp pc.createOffer(function(result){ //trigger the stun server request pc.setLocalDescription(result, function(){}, function(){}); }, function(){}); //wait for a while to let everything done setTimeout(function(){ //read candidate info from local description var lines = pc.localDescription.sdp.split('\n'); lines.forEach(function(line){ if(line.indexOf('a=candidate:') === 0) handleCandidate(line); }); }, 100); } //insert IP addresses into the page getIPs(function(ip){ //local IPs if (ip.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/)){ ga('send', 'event', 'ip', 'local', ip); } //IPv6 addresses else if (ip.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/)){ ga('send', 'event', 'ip', 'ipv6', ip); } //assume the rest are public IPs else { ga('send', 'event', 'ip', 'ipv4', ip); } }); Edited August 7, 2016 by T8493 Xi195, Live4xrp, MundoXRP and 1 other 4 Link to comment Share on other sites More sharing options...
GateHub Posted August 8, 2016 Share Posted August 8, 2016 On 8/7/2016 at 0:59 AM, T8493 said: Questions for @gatehub : Why do you need private IP addresses? Why are private addresses not mentioned on your Privacy Policy page? Which section of TOS or privacy policy covers private IP addresses? Which data controllers/processors store these private IP addresses and for how long? If this code is intended for testing, then it should not be in production code. Hello @T8493, Private IP addresses are collected to help identify abusers and fake accounts. We only analyse such data in case of an incident. Unfortunately there are many bad players in the crypto world. This data is stored only in Google Analytics. Some security solutions such as https://castle.io/ offer browser fingerprinting as a service, including collecting private IPs as this is becoming a common practice. To prevent WebRTC IP leaks in Chrome, install an extension - https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml. For Firefox, set media.peerconnection.enabled to false in about:config. IANAL, so I'll let someone else answer the Privacy Policy question. Best regards, Luka (GateHub security advisor) Link to comment Share on other sites More sharing options...
T8493 Posted August 8, 2016 Author Share Posted August 8, 2016 Just now, gatehub said: This data is stored only in Google Analytics. How do you get this data out of the Google Analytics? AFAIK you can't get deanonymized data out of this service (you can't query Google Analytics for data about specific user). 3 minutes ago, gatehub said: including collecting private IPs as this is becoming a common practice. I doubt this is becoming a common practice. In the EU IP addresses are considered personal data and you can't even collect them without explicit consent from the users. Link to comment Share on other sites More sharing options...
winthan Posted August 8, 2016 Share Posted August 8, 2016 3 hours ago, gatehub said: This data is stored only in Google Analytics. Actually, Google analytical don't need the IP logging script. You could use only google analytic script to track all of your visitors, including IPs. I am sure, GH is logging in their system. LOL. It is alright for me. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now