Defend against evil UI connections #815
Labels
bug
Something isn't working
Comments
kauri-hero
moved this from 🆕 New
to 🔖 Awaiting Development (Prioritized)
in MASQ Node v2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We believe that it might be possible for an evil originating Node to construct a CORES package with a server name of "localhost" or 127.0.0.1 or 0.0.0.0 that might persuade an exit Node's ProxyServer to make a UI connection to its own WebSocketSupervisor and allow the evil originating Node to control the exit Node.
The ProxyClient should be modified so that it rejects any CORES package with a URL containing "localhost", "127.0.0.1", "0.0.0.0", or any other reference to the local machine. When malefactor banning comes on board, this should result in a malefactor ban by wallet of the source.
Also, modify the ProxyServer so that no CORES package can be created, even accidentally, with those hostnames; that way, the ProxyClient can be confident that any originating Node that sends such a CORES package really is a malefactor.
Check out the code and see if it's appropriate to also trigger on the IPv6 versions of those addresses.
The text was updated successfully, but these errors were encountered: