Why is GateHub wallet sniffing for private IP addresses?

[T8493]

GateHub wallet contains the following function which can enumerate user's private IP addresses according to RFC 1918 (for example, 192.168.x.x).

It uses STUN protocol that is supported by WebRTC Web API. However, this API is intended for voice and video calls. GateHub doesn't use voice and video calls for anything (support, etc.) and so it is not clear why would they need private IP addresses at all.

https://signin.gatehub.net/resources/js/ips.js

Questions for @gatehub :

• Why do you need private IP addresses? 
• Why are private addresses not mentioned on your Privacy Policy page?
• Which section of TOS or privacy policy covers private IP addresses?
• Which data controllers/processors store these private IP addresses and for how long?

If this code is intended for testing, then it should not be in production code.

//get the IP addresses associated with an account
function getIPs(callback){
    var ip_dups = {};

    //compatibility for firefox and chrome
    var RTCPeerConnection = window.RTCPeerConnection
        || window.mozRTCPeerConnection
        || window.webkitRTCPeerConnection;
    var useWebKit = !!window.webkitRTCPeerConnection;

    //bypass naive webrtc blocking using an iframe
    if(!RTCPeerConnection){
        //NOTE: you need to have an iframe in the page right above the script tag
        //
        //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
        //<script>...getIPs called in here...
        //
        var win = iframe.contentWindow;
        RTCPeerConnection = win.RTCPeerConnection
            || win.mozRTCPeerConnection
            || win.webkitRTCPeerConnection;
        useWebKit = !!win.webkitRTCPeerConnection;
    }

    //minimal requirements for data connection
    var mediaConstraints = {
        optional: [{RtpDataChannels: true}]
    };

    var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);

    function handleCandidate(candidate){
        //match just the IP address
        var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
        var ip_addr = ip_regex.exec(candidate)[1];

        //remove duplicates
        if(ip_dups[ip_addr] === undefined)
            callback(ip_addr);

        ip_dups[ip_addr] = true;
    }

    //listen for candidate events
    pc.onicecandidate = function(ice){

        //skip non-candidate events
        if(ice.candidate)
            handleCandidate(ice.candidate.candidate);
    };

    //create a bogus data channel
    pc.createDataChannel("");

    //create an offer sdp
    pc.createOffer(function(result){

        //trigger the stun server request
        pc.setLocalDescription(result, function(){}, function(){});

    }, function(){});

    //wait for a while to let everything done
    setTimeout(function(){
        //read candidate info from local description
        var lines = pc.localDescription.sdp.split('\n');

        lines.forEach(function(line){
            if(line.indexOf('a=candidate:') === 0)
                handleCandidate(line);
        });
    }, 100);
}

//insert IP addresses into the page
getIPs(function(ip){

    //local IPs
    if (ip.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/)){
        ga('send', 'event', 'ip', 'local', ip);
    }

    //IPv6 addresses
    else if (ip.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/)){
        ga('send', 'event', 'ip', 'ipv6', ip);
    }

    //assume the rest are public IPs
    else {
        ga('send', 'event', 'ip', 'ipv4', ip);
    }
});

Edited August 7, 2016 by T8493

[GateHub]

On 8/7/2016 at 0:59 AM, T8493 said:

Questions for @gatehub :

• Why do you need private IP addresses? 
• Why are private addresses not mentioned on your Privacy Policy page?
• Which section of TOS or privacy policy covers private IP addresses?
• Which data controllers/processors store these private IP addresses and for how long?

If this code is intended for testing, then it should not be in production code.

Hello @T8493,

• Private IP addresses are collected to help identify abusers and fake accounts. We only analyse such data in case of an incident. Unfortunately there are many bad players in the crypto world.
• This data is stored only in Google Analytics.

Some security solutions such as https://castle.io/ offer browser fingerprinting as a service, including collecting private IPs as this is becoming a common practice.

To prevent WebRTC IP leaks in Chrome, install an extension - https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml. For Firefox, set media.peerconnection.enabled to false in about:config.

IANAL, so I'll let someone else answer the Privacy Policy question.

Best regards,

Luka (GateHub security advisor)

[T8493]

Just now, gatehub said:

• This data is stored only in Google Analytics.

How do you get this data out of the Google Analytics? AFAIK you can't get deanonymized data out of this service (you can't query Google Analytics for data about specific user).

 

3 minutes ago, gatehub said:

including collecting private IPs as this is becoming a common practice.

I doubt this is becoming a common practice. In the EU IP addresses are considered personal data and you can't even collect them without explicit consent from the users.

 

[winthan]

3 hours ago, gatehub said:

• This data is stored only in Google Analytics.

 

Actually, Google analytical don't need the IP logging script. You could use only google analytic script to track all of your visitors, including IPs. I am sure, GH is logging in their system. LOL. It is alright for me.