Unmasking your hola! IP — Jan 23, 2015, 6:46 pm
I stumbled upon this when I wanted to use the hola! plugin for Chrome, which helps you to pretend to be from a different country when you visit websites. This is helpful if the site contains content, that is blocked in other countries.
When you do a simple IP lookup it perfectly works and shows a IP with geolocation in the selected country. However I wondered how well it masks all my outgoing connections.

A regular HTTP request shows the masked IP as wanted:
<?php
echo '<script>var ip1="'.getenv('REMOTE_ADDR').'";</script>'; // or $_SERVER['REMOTE_ADDR']
?>

However receiving something from a different domain inside the page reveals your real IP:
<script src="http://www.DIFFERENT_DOMAIN.com/get_my_ip.js"></script>

...with the JS-file having i.e. this code:
<?php
header('Content-Type: text/javascript; charset=UTF-8');
echo 'var ip2="'.getenv('REMOTE_ADDR').'";';
?>

I edited the .htaccess for the JS-file to interpret PHP:
AddHandler x-mapp-php5 .js


Do a simple check with jQuery:
<script>
$(document).ready(function() {
if (ip1 != ip2) alert("You surf undercover and your real IP is "+ip2);
});
</script>


Test your hola! by pressing "Eigene IP" on my tool page. If it detects a different one, it'll show both.
Enter your comment:


  Use [code=LANGUAGE]...[/code] for highlighting (i.e. html, php, css, js)