Unmasking your hola! IP — Jan 23, 2015, 5:46 pm
I stumbled upon this when I wanted to use the hola! plugin for Chrome, which helps you to pretend to be from a different country when you visit websites. This is helpful if the site contains content, that is blocked in other countries.
When you do a simple IP lookup it perfectly works and shows a IP with geolocation in the selected country. However I wondered how well it masks all my outgoing connections.

A regular HTTP request shows the masked IP as wanted:
echo '<script>var ip1="'.getenv('REMOTE_ADDR').'";</script>'; // or $_SERVER['REMOTE_ADDR']

However receiving something from a different domain inside the page reveals your real IP:
<script src="http://www.DIFFERENT_DOMAIN.com/get_my_ip.js"></script>

...with the JS-file having i.e. this code:
header('Content-Type: text/javascript; charset=UTF-8');
echo 'var ip2="'.getenv('REMOTE_ADDR').'";';

I edited the .htaccess for the JS-file to interpret PHP:
AddHandler x-mapp-php5 .js

Do a simple check with jQuery:
$(document).ready(function() {
if (ip1 != ip2) alert("You surf undercover and your real IP is "+ip2);

Test your hola! by pressing "Eigene IP" on my tool page. If it detects a different one, it'll show both.
Enter your comment:

  Use [code=LANGUAGE]...[/code] for highlighting (i.e. html, php, css, js)