Walmart website can de-anonymize your IP in Mullvad and Tor Browsers

johnanondoe99 · May 19, 2023, 5:07am

Hey everyone,

I am reaching out to various members of the privacy and security community on something I’ve stumbled upon. I have discovered that walmart knows your IP range even when using Mullvad or Tor Browsers. My guess is walmart can’t be the only site doing this, but just lazy in covering their tracks. I am hoping the community can look into this and replicate it. Even if not, I would sure like to know HOW walmart is able to unmask IP range. Please share this info with other individuals who could inform people WHY this is happening and HOW to prevent it.

video proof:

John Doe

—** UPDATE **—

This was a coincidental false positive. I happen to live in Sacramento, but it appears to be the default based on the replies from other users who tested this from various locations.

gnu · May 19, 2023, 8:02am

I’m purely basing this on what I can see in the video (it’s 360p for me), but to me it looks like it’s javascript causing it. Can you try again by going to about:config and disabling java to see if it happens again? This wouldn’t be the first time noscript was broken or it could simply be something with your current setup. I would attempt to recreate it I just don’t see the point until anyone here can gather more info from you.

rollsicecream · May 19, 2023, 8:38am

I can replicate it when using the Mullvad Browser, you can download my video here since I can’t upload directly here :

I have disabled JavaScript and Walmart is broken so it cannot display the location (in this case, Sacramento)… So I think you’re right

gnu · May 19, 2023, 9:10am

Good to know it’s able to be replicated. This should be sent to the Mullvad/Tor/NoScript teams ASAP because it could definitely do some harm to someone who just uses any of them by default. I’ve just had enough experience with noscript to know that it can’t be trusted to block javascript everywhere and I doubt it will ever reach a point that it can. (not the teams fault it’s just how things are nothing is perfect)

blackwater · May 19, 2023, 9:55am

It doesn’t. Walmart shows Sacramento CA every time regardless of where you’re from. I tested with Tor browser on Fedora 37 and it showed Sacramento even though I don’t live anywhere near Sacramento.

gnu · May 19, 2023, 10:42am

This actually makes a lot of sense lol. I hope this is the case and I should have considered that with my replies on trying to replicate it on only walmart of all places.

johnanondoe99 · May 19, 2023, 3:32pm

Thank you!

This was a coincidental false positive. I live in Sacramento obviously and I would’ve never suspected this to be a default IP. Appreciate all those who helped figure this out.