The Hacker News

Do you have any idea about an Internal IP Address or a Private IP Address that too assigned for Multinational Companies? Yeah, today we are gonna discuss about Internal IP or Private IP address Disclosure.

Disclosure of an Internal IP like 192.168.*.* or 172.16.*.* , can really Impact ? Most security researchers call it as "bull shit" vulnerability. But when it comes to impact calculation even if the server is behind a firewall or NAT, an attacker can see internal IP of the remote host and this may be used to further attacks.

Internet Giants like Facebook, Google, PayPal and Serious National Security organizations like FBI, Pentagon and NASA are taking initiatives for their Security Issues. At same, we at 'The Hacker News' stand together for organizations that talk about national security in a serious way.

I guess,its the time to understand about the flaws and its impacts where I would like to share my findings about our Internet Giants and Organizations.

Facebook - Internal IPv4 Address and Session Cookie Disclosure
Facebook spent $8.5 million to buy According to the many report available on the internet says " is for Facebook Internal Use Only".
The Hacker News

Internal IP :
Session Cookie : Session Cookie Generation probably depends the administration from their admin panel located at

PayPal - [ & ]
Paypal is being the largest in the e-banking business has its Internal IPv4 Address and Other Server Detail Disclosure while accessing one of its sub domain.
The Hacker News
Internal IP Range - 192.168.*.*
The Hacker News
Google - [ Server Path Disclosure]
Recently , I came across an issue reported by an user on Google Code website to Google Team members of modpagespeed project.. mod_pagespeed is an open-source Apache module created by Google to help Make the Web Faster by rewriting web pages to reduce latency and bandwidth.
The Hacker News

If you closely analyze the URL mentioned in the forum post you might get some encoding error. But if you access the URL via Google Web-Cache ( Interesting Part: Using Google Service to Retrieve Information of Other Google Services )

Vulnerable Domain:
Vulnerability: Server Path Disclosure
Steps to Reproduce: Access Google Web-Cache URL: Click Here

Cron Job Info of Google Talk, Plugins and Google Chrome
Google Talk - Cron Job Info , Path Disclosed: Cache URL

Google Talk Plugin - Cron Job Info, Path Disclosed: Cache URL

Google Chrome- Cron Job Info, Path Disclosed: Cache URL

Internal IP, Subnet mask disclosure in a publicly available file at NASA ftp (now deleted) can be seen via Google cache.
The Hacker News

Tata Consultancy Services
TCS was also having similar internal IP disclosure flaw, recently fixed. We have a screenshot of that
The Hacker News
In the above screenshot we can easily find the Microsoft OLDE DB provider Information and the Server Internal (Private IP Address :
The Hacker News

This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further attacks.

For a hacker Information is like a treasure and gathering each and every small information = Treasure hunting. Vulnerability either low or Critical, its still remains a vulnerability.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.