alt Hacker NewsA quite obvious attack mechanism, I'm surprised browsers permitted this in the first place. I can't think of a reason to STUN/TURN to localhost. Aside from localhost, trackers can also use all other IP addresses available to the browser to bind their apps/send traffic to.
Now that the mechanism is known (and widely implemented), one could write an app to notify users about attempted tracking. All you need to do is to open the listed UDP ports and send a notification when UDP traffic comes in.
For shit and giggles I was pondering if it was possible to modify Android to hand out a different, temporary IPv6 address to every app and segment off any other interface that might be exposed just because of shit like this (and use CLAT or some fallback mechanism for IPv4 connectivity). I thought this stuff was just a theoretical problem because it would be silly to be so blatant about tracking, but Facebook proves me wrong once again.
I hope EU regulators take note and start fining the websites that load these trackers without consent, but I suspect they won't have the capacity to do it.
Replies
> hand out a different, temporary IPv6 address to every app and segment off any other interface that might be expose
Yes, but (AFAIK) not out of the box (unless one of the security focused ROMs already supports this). The kernel supports network namespaces and there's plenty of documentation available explaining how to make use of those. However I don't know if typical android ROMs ship with the necessary tooling.
Approximately, you'd just need to patch the logic where zygote changes the PID to also configure and switch to a network namespace.
> modify Android to hand out a different, temporary IPv6 address to every app
AFAIK this is on the Android roadmap and one of the key reasons they don't want to support DHCPv6. They want each app to have their own IP.