Open feross opened 6 years ago
pldubouilh
commented
6 years ago We allow streaming torrents to VLC or other external players. It's unclear what these programs set the Host header to. We need to test the top player apps to see what they do.
Just tested VLC, and it does set the host header
diracdeltas
commented
6 years ago BTW see my comment here: https://github.com/webtorrent/webtorrent/pull/1260#issuecomment-358820360. The Origin header doesn't mitigate the attack. you have to use the Host header.
stale[bot]
commented
6 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
github-actions[bot]
commented
1 year ago Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
There was a huge DNS rebinding attack in Transmission discovered recently. Super crazy.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
TLDR, transmission runs an RPC server that is accessible to the internet. They attempt to filter requests so that only their local UI program can access it. But that didn't work so well. Any website could run random code on your computer!
WebTorrent has a
torrent.createServer()function that serves torrent content, but DOES NOT ACCEPT RPC REQUESTS (you can't ask the server to run code for you).Like any local server, ours is vulnerable to DNS rebinding too. Fortunately, the consequences are much milder: random sites can try to see content from the torrent that you are currently streaming.
Also, Transmission's RPC server always runs on a specific port but our torrent content server always picks a random one making it harder to take advantage of. Still, it's theoretically possible for an attacker to try every possible port and then see what you're watching in WTD.
I'll repeat: WebTorrent's torrent content server does not let someone send a request to execute some code (which is very risky and a terrible idea).
I'm working with @diracdeltas from Brave to add a new option to the
webtorrentpackage to enable users oftorrent.createServer()to fix this issue https://github.com/webtorrent/webtorrent/pull/1260#issuecomment-358717306Special things we need to consider for WebTorrent Desktop:
What is the
Hostheader set to for requests from the<video>tag within the Electron renderer?We allow streaming torrents to VLC or other external players. It's unclear what these programs set the
Hostheader to. We need to test the top player apps to see what they do.All browsers always include a
Hostheader for all HTTP requests. If we're lucky, VLC won't send anyHostheader. Then we can just allow any request without aHostheader since that indicates it's not coming from a browser but a locally installed program.Thoughts?