Kevin Froman's blog

Blog on security, programming, & other musings

Tracking Ipfs Users Via Cache Probing



IPFS is a distributed file system network that uses hashes to lookup, verify, and track content.

ipfs logo

The IPFS reference client has an HTTP gateway on localhost for accessing files (such as HTML) via the network.

These files are stored in the IPFS cache for an indefinite period of time to make the available offline and to others who would request them.

This gateway also has a very liberal CORS header, making content readable to other browser origins.

Sadly, this file permanence system comes at a cost. Websites on or off IPFS can test if any given file is in a node without giving any initial indication that they are doing so.

Probing the cache

Similar to my attacks on I2P, IPFS also has to deal with web vulnerabilities, because of its webui and gateway system.

By requesting a hash from the user's local gateway and tracking the time it takes to load, I can see if they have that file in their cache or not.


This form of testing is far from perfect, there are factors that could result in incorrect results:

Supercookies 🍪

IPFS can also be used as a type of supercookie with 99-100% accuracy.

An attacker would pre-compute tracking files on their node and assign them to IPFS users by making their clients request & cache them.

These files could then use application cache or service workers to make the cookie available if the IPFS node goes down.

In reality, since IPFS is not that popular to begin with & browsers are already easy to fingerprint, IPFS being installed (combined with other browser data) would be enough to uniquely identify a user.


The cache & supercookie 'attack' could be mitigated by requiring some sort of authentication to interact with the gateway.

Unless a system like that is added, user's will have to do 'ipfs repo gc' and/or shutdown their node to protect themselves.

Noscript's "application boundaries enforcer" should provide some protection as well.

Other Attacks

There are a couple other IPFS attacks I haven't seen discussed much, but I don't really feel need their own posts.

Webui Clickjacking

The IPFS webui does not return 'x-frame-options', meaning the user's IPFS node ID (& system username) can be exfiltrated using frame splicing, and their config maliciously changed via pastejacking.

Stealing cookies

Since all IPFS files are served on the same origin (the gateway address), files have access to each others cookies, local/session storage, and other data. Do not store any sensitive data in IPFS sites.

Written by anonymous