Unmasking your hola! IP — Jan 23, 2015, 5:46 pm
I stumbled upon this when I wanted to use the hola! plugin for Chrome, which helps you to pretend to be from a different country when you visit websites. This is helpful if the site contains content, that is blocked in other countries.When you do a simple IP lookup it perfectly works and shows a IP with geolocation in the selected country. However I wondered how well it masks all my outgoing connections.
A regular HTTP request shows the masked IP as wanted:
<?php echo '<script>var ip1="'.getenv('REMOTE_ADDR').'";</script>'; // or $_SERVER['REMOTE_ADDR'] ?>
However receiving something from a different domain inside the page reveals your real IP:
<script src="http://www.DIFFERENT_DOMAIN.com/get_my_ip.js"></script>
...with the JS-file having i.e. this code:
<?php header('Content-Type: text/javascript; charset=UTF-8'); echo 'var ip2="'.getenv('REMOTE_ADDR').'";'; ?>
I edited the .htaccess for the JS-file to interpret PHP:
AddHandler x-mapp-php5 .js
Do a simple check with jQuery:
<script> $(document).ready(function() { if (ip1 != ip2) alert("You surf undercover and your real IP is "+ip2); }); </script>
Test your hola! by pressing "Eigene IP" on my tool page. If it detects a different one, it'll show both.