logoalt Hacker News

charcircuittoday at 6:14 AM1 replyview on HN

>sell access to the user's internal residential network

That is not what the SDK was doing. The actual code in the SDK protects against this (simplified to take less space):

    if (addr.isSiteLocalAddress() || addr.isLoopbackAddress()) {
        LogUtils.e("PopaTunnelAsyncThread", "Hacking? The Host Resolved Ip is " + addr + " on tunnel id:" + tunnelId);
        throw new IllegalArgumentException("Hacking? The tunnel host resolved ip is internal");
    }
Local and loopback addresses like 10.0.0.0, 172.16.0.0, 192.168.0.0, and 127.0.0.0 do not work. It will not connect to people's private file servers on their network.

Replies

throwaway7356today at 11:20 AM

It'll still connect to IPv6 addresses and bypass any firewalls.

Also users might become part (victim?) of a police investigation because of illegal actions that seem to originate from their local residential connection.

So still good to take down such backdoors. Would be nice to go after the botnet operators as well...