Today we were mentioned by name on a website relating to IT security. The post was in relation to an anomaly that we found which allows the listing of users internal IP addresses via javascript.

The article can be read here. As we were named specifically we felt that we should reply to this officially in the interest of balance and transparency.

Firstly Mr Hanff was made aware of this anomaly on May 23 2014 (approx 3 weeks ago). He asked how it was being done to which we declined to answer, there was no more discussion on the topic until late night (12 June), when we were asked again how it was done, (we replied the following morning) we again declined to give details.

Mr Hanff then pointed out that as a browser developer he wanted to know because he wanted to be able to fix it in his browser. We gain declined to give details at which point Mr Hanff told us he was going to go public with the matter and posted the above article.

As far as we are aware, the browser to which Mr Hanff is referring to is his product 'Private Browser' which has not yet been released and is not available to download or use, so even knowing how the information leak works wouldn't actually assist anyone because they cannot use this browser.

You can review the 'Private Browser' website here. This product is part of the Belizean registered company Think Privacys website product set.

So why didn't we go public ?

According to the article "This is a very serious situation - not only does it create network security issues but it can also be used to add entropy to server side fingerprinting for the purpose of tracking users across the world wide web."

We disagree

1. The method used is NOT a security exploit, it is information leakage from a built in API. This cannot be exploited in anyway, and as such is not a threat to anyone.

2. This, in our view, is not a privacy issue, our educational website which uses this Circumspecto clearly shows that it is possible to gather hundreds of pieces of information about a web visitor. One additional piece of information does not make you any more or less private on line. It is estimated that around 70 pieces of information are enough to create a unique browser fingerprint for any given user anywhere in the world, on average circumspecto is able to gather over 150 pieces of information, that is more than enough entropy in our view.

Isn't knowing IP addresses dangerous?

In short no. Knowing that someone is using a private (RFC1918) IP address isn't ground breaking security or privacy news, it is in fact how it was designed to work. Everyone who uses broadband is using private addresses, as are many (if not most) companies, they are in fact all using the SAME private addresses which is exactly what they were intended to be used for.

Will we disclose the information now?

Again in short no. This in our view is a non issue, it has no security impact and little to no privacy impact. Some people might inflate this to the level of 'serious threat' but often these are people who don't fully understand the technologies, but of course they are entitled to their views and have the right to voice them just as we have a right not to agree.

Should it be fixed?

Of course it should, the API should not be leaking information the way that it appears to do so, but that doesn't mean that it is a risk to our security or our privacy.

Final Note

We would also like to put it on the record, that we refused to tell Mr Hanff how it works, we also refused to declare to the world how it works, but we also make it clear that vendors had/would be notified to allow the issue to be fixed. A piece of information that seemed to be missing from the original article.