2

I read through the search items and similar threads but my query is rather specific.

I know it's possible to reveal IP of an email recipient if we can get the person to click on an attached image or file and then using a remote PHP script running on a server we can extract info about him.

My question is that which IP exactly is actually revealed if the person is using a proxy or even TOR.

The person uses Protonmail, most likely as webmail. So basically, assuming we can get the person to click on the attachment image, which IP is revealed when:

  1. He uses a proxy website to access Protonmail
  2. He uses a proxy through browser settings
  3. He uses TOR browser bundle to access Protonmail hidden service

Thanks!

  • The person would have to click on a link. Clicking on an attached image, (which is then embedded into email) will not work. – George Y. Jul 19 '18 at 01:19
  • Most images a "rehosted" onto the email server, so as to control the files and not perform XSS, allowing HTTPS throughout the entire page. However, what I described is what GMail does, most still use the old method, which ProtonMail being E2EE must use. Images are downloaded from another website within the email, XSS. Having a PHP script execute upon the image being opened (or requested by the client from their web portal email) will work. You are thinking of embedding JavaScript which is disabled by most email vendors. – safesploit Jul 19 '18 at 11:28

2 Answers2

3
  1. He uses a proxy website

An IP address lookup will reveal the exit node for that website proxy, e.g. the IP address of their server they connect to the IP address lookup PHP script.

(Client)---(Web proxy)---(Web proxy/exit node)---(Web server)

  1. He uses a proxy through browser settings

The revealed IP address will be the proxy server. However, depending upon whether a transparent, anonymous or elite proxy was used will determine if the proxy server forwarded the remote address (your IP real IP address) within the packet header.

Also, you should review the proxy server types (FTP, HTTP, HTTPS, SOCKS4, SOCKS4A and SOCKS5). An HTTP proxy server can only serve HTTP content via port 80. So, if you connect to an HTTPS website, your real IP address will be exposed. However, using any SOCKS proxy server would server content via any usable port.

(Client)---(SOCKS5 proxy)---(Web server)

--

Exposing the real IP address because of using HTTP proxy to connect to an HTTPS server.

(Client)---(HTTP proxy)---(HTTPS web server)

  1. He uses TOR browser bundle to access Protonmail hidden service

The Tor browser bundle is configured to prevent leaks like I described above, let alone protects against DNS and WebRTC leaks (by disabling). So, the exit node for the web server it accesses will be the IP address you view. Because of the Tor client changing circuits for different websites, the exit node for ProtonMail.com will be different for IPChicken.com. Hence, a different IP address.

(Client)---(Tor entry)---(Tor relay)---(Tor exit [IP address not static])---(Web server)

safesploit
  • 1,827
  • 8
  • 18
  • The Tor browser bundle uses a hardened version of Mozilla Firefox, but despite effort they take, this still reports your system's timezone, which does uniquely identify you partially. So, finding a vulnerability within Firefox which can be executed via JavaScript and can ignore the SOCKS proxy configuration would allow **bypassing of the proxy** and a direct connection outside the Tor network. However, without reviewing the Tor browser's source code I cannot stat security safeguards to protect against this type of attack. In the past, this type of attack has been done and deanonymised users. – safesploit Jul 19 '18 at 14:43
0

If user selects a browser-wide proxy, the results are:

He uses a proxy website to access Protonmail

IP of the proxy website

He uses a proxy through browser settings

IP of the proxy server

He uses TOR browser bundle to access Protonmail hidden service

IP from the TOR exit node.

If user have a proxy that changes depending on the site (not common), you could get the IP of his router. Nowadays few people have a direct public IP on their computers.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • Nothing is impossible, but it's **very difficult** to achieve this. The FBI have lots of resources and they don't get every Tor user's IP when they want. It usually needs some user help to leak his own IP. Or a vulnerability, and Tor browser fixes vulnerabilities very fast. – ThoriumBR Jul 19 '18 at 13:30