Exadra37
Stealing Secrets from Developers Localhost Development using Websockets
I came across this article that have some disturbing facts about using websockets from javascript in the browser for port scanning your machine.
The author discovered this after reading another article about why Ebay is port scanning localhost via websockets.
So this made him wondering how far he could go, and he starts with this question:
This got me thinking. I know that popular JavaScript frameworks use websockets in development to automatically reload pages when content changes. Could a malicious website eaves-drop on that traffic, and find out when developers are saving their code?
The reality was slightly worse than I had thought.
And then finds this disturbing facts:
But what happens when the developer makes a typo? The webpack dev server helpfully tries to send a bunch of debugging and stack information to the developer’s screen, by way of its websocket connection.
Now things are getting juicy. We’ve got code snippets, paths to files, locations, all sorts of bits of useful info.
It gets even better if eventually the Dev accidentally typos on a line containing useful data:
Now we’ve got a copy of this developer’s AWS Dev credentials. Quick, fire up the bitcoin miners!
What are your thoughts on this? Did you ever imagine that this could get so far?
I really need to do a POC of attacking Phoenix WebSockets, because more I read about them, more concerned I get with using them.
Marked As Solved
chrismccord
Skimming the article, the author is using an external site that has js connect to localhost, right? If so, changing check_origin: false to check_origin: ["myapp.local"] in dev.exs with a host file entry would suffice to prevent another host from establishing a websocket connection to your local server.
Also Liked
hauleth
PSA: Do not use .local for your local development domain. It is reserved for mDNS and you should use .localhost which is currently reserved but unassigned to anything.
tangui
Also some protocols work in dev only when using .localhost. For instance WebAuthn requires TLS with the exception of the .localhost domain so that you don’t need to enable TLS in dev.
dimitarvp
I did imagine it will go this far, yes. The insanity that is serving you code (JS) which your browser – which is essentially a small OS – executes almost without scrutiny, mandated that one day this will happen.
As excited as I am for some tech innovations – WebSockets included – we definitely need to get back to basics and even the drawing board for a lot of stuff.
But there’s no funding for that so I predict a lot of very embarrassing security incidents will keep happening for years to come.








