IP leak from Windows/macOS UI dialog with URI
It is possible for the client IP to leak from the browser and onto the network via the Windows API when prompted with Windows dialog box to select files.
Not entirely sure if this is a bug, but should at least be documented.
Steps to reproduce:
- Visit a website that provides an upload box.
- Instead of selecting a file, paste a URI as a file name.
- The IP is leaked.
This may potentially work with Ctrl+O (Open File) and Ctrl+S (Save Page As).
Tested on Windows 7 and verified with Wireshark.
Trac:
Username: uileak