Forum Discussion
Security Vulnerability "IP Sniffer script will show everyone's IP while playing multiplayer games"
If anyone runs this script below on their Quest 3 using developer mode & ADB will be able to see everyone's ip address in multiple multiplayer games. This is dangerous because if I'm able to run this script it opens the door for other scripts that could potentially be more dangerous in the future. It will show a HUD with a list of everyone's ip addresses in the lobby your currently connected to, and will refresh every time you join a different lobby in game. I've noticed when I'm the only player in a public or private lobby it will not show my IP Address until another player joins then it'll be shown along with the IP Address of another player. This is a huge issue because for hackers that use SSH Reverse shell can gain access to their devices see all their files it's bad.
#!/system/bin/sh
INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5; exit}')
MY_IP=$(ip addr show "$INTERFACE" | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)
/data/local/tmp/tcpdump -i "$INTERFACE" -nn -c 200 2>/dev/null | \
grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | \
grep -v "$MY_IP" | sort -u > /sdcard/peer_ips.txt
IPS=$(cat /sdcard/peer_ips.txt)
[ -n "$IPS" ] && termux-toast -g bottom -s "$IPS"
3 Replies
Replies have been turned off for this discussion
That is true of any multiplayer game, with peer-to-peer communication. That is also true of all peer-to-peer social communications. If it is peer-to-peer, then your system knows their IP, or it would not be 'to-peer'.
Yes, The thing is that hackers can easily gain access to other players devices just by running a .sh script on Meta Quest 3, This could give them access to much more in the future for example; ddosing, session hijacking, viewing and editing their files using a terminal in the future if it's not patched.
The only fix for this would be to disallow your firewall from doing peer-to-peer. Steps that could help (1) Disable UPnP on your firewall as many apps use UPnP to route internet traffic to your internal network. And that might break games you want to play. (2) Tons of manual checking and blocking ports. (3) Don't enable unknown sources apps. Even trusted apps can do p2p and you would not know. (4) UPnP is not the only way to do p2p.
Even if they disallowed it from adb, you could write a c/c++/c# game that just checked itself. If you are doing peer-to-peer, it is traceable from each endpoint. On the net, there is no such thing as blocking caller-id, because your IP address is how the packets get routed across the world.
So the trade off is use a relay (some say that opens up privacy issues as the relay has access), or use p2p and the other endpoint knows your IP.
100% of the time, a computer program or command line tool that does any network I/O *must* know the IP address of the other end to reach the other end, then when they reply, they *must* reply to your IP address. It is never secret.
