localprobe

You're running a Bitcoin node on the same machine as your Firefox browser? Yeah, I and everybody else can tell…

localprobe.js is a small JavaScript snippet built at the btc++ Floripa 2026 exploits hackathon, where it won 2nd place. It detects whether you are running a Bitcoin node on the same machine as your Firefox browser and shows a privacy warning if so.

The issue

Firefox allows web pages to make cross-origin requests to localhost. This means any website you visit in Firefox can silently probe ports on your local machine. Chromium-based browsers (Chrome, Brave, Edge) block this via the Private Network Access spec. Firefox does not implement PNA.

Affected Browsers

Browsers where any website can probe localhost ports:

Browsers that block localhost probing via Private Network Access:

What it probes

localprobe checks the default ports for Bitcoin Core and Tor:

Try it

Start a regtest node and open this page in Firefox:

bitcoind -regtest

If a port responds within 2 seconds, a browser alert will appear.

Use it on your site

<script src="localprobe.js"></script>

Drop localprobe.js into your page. It runs once per browser session, does nothing in non-Firefox browsers, and only prompts once unless the user dismisses the alert. No dependencies, no build step.

Resources