Opened 4 years ago

Closed 4 years ago

#16347 closed defect (invalid)

TOR Browser Favicon.ico IP leak

Reported by: torleak Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version: Tor: unspecified
Severity: Keywords: Favicon.ico IP leak
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Attached are logs for TOR Browser sessions during the logging into Buffalo Terastation TS-XEL with firmware version 1.55. The logs are from Terastation lighttpd.webui.access.log.

Version of TOR Browser was likely 4.5, it was the version which updated itself automatically from TOR Browser. It was certainly below 4.5.1, because an access occured before May 13.

TOR client IP address is XXX.XXX.XXX.XXX.

Target IP address is YYY.YYY.YYY.YYY.

Real IP address is ZZZ.ZZZ.ZZZ.ZZZ, it was checked and confirmed with ISP.
Based on access circumstances, it is unthinkable that a target was "accidentally" accessed via a standard browser at that time, which was IE11.

What is strange for real User-Agent is that it is listed as Windows NT 6.2. But real version of Windows was NT 6.3.

Below is a small fragment of the logs:
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:15:53 +0900] "POST /dynamic.pl HTTP/1.1" 200 192 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:15:53 +0900] "GET /static/ext/resources/images/default/grid/grid3-hrow.gif HTTP/1.1" 200 836 "http://YYY.YYY.YYY.YYY/static/ext/resources/css/ext-all.css" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:15:53 +0900] "GET /static/ext/resources/images/default/s.gif HTTP/1.1" 200 43 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:16:08 +0900] "GET /static/ext/resources/images/default/grid/row-over.gif HTTP/1.1" 200 823 "http://YYY.YYY.YYY.YYY/static/ext/resources/css/ext-all.css" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:16:08 +0900] "GET /static/ext/resources/images/default/grid/grid3-hrow-over.gif HTTP/1.1" 200 823 "http://YYY.YYY.YYY.YYY/static/ext/resources/css/ext-all.css" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
ZZZ.ZZZ.ZZZ.ZZZ YYY.YYY.YYY.YYY - [Date:19:17:20 +0900] "GET /favicon.ico HTTP/1.1" 200 97 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)"
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:17:51 +0900] "POST /dynamic.pl HTTP/1.1" 200 289 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:17:53 +0900] "GET /dynamic.pl?_dc=1431339247835&bufaction=getRootSettings2 HTTP/1.1" 200 551 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:17:54 +0900] "GET /dynamic.pl?_dc=1431339247838&bufaction=validateSession HTTP/1.1" 200 77 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"

Child Tickets

Attachments (1)

TOR_leak_edited.txt (152.9 KB) - added by torleak 4 years ago.
lighttpd.webui.access.log

Download all attachments as: .zip

Change History (8)

Changed 4 years ago by torleak

Attachment: TOR_leak_edited.txt added

lighttpd.webui.access.log

comment:1 Changed 4 years ago by cypherpunks

Did the user create a desktop shortcut of the URL?

comment:2 Changed 4 years ago by torleak

Do you mean shortcut for URL of the target site or shortcut for TOR Browser (\Tor Browser\Browser\firefox.exe)? The latter was always used, the former does not exist.

But it is possible that IP of the target site was copied into TOR Browser from a text file (notepad), or even copied from the local folder name, instead of typing directly into TOR Browser.

Edit: screenshots of the TOR Browser content were likely taken via Snagit 11.2.1 during that time.

Last edited 4 years ago by torleak (previous) (diff)

comment:3 Changed 4 years ago by torleak

SnagiIt32.exe was decompiled, and there is indeed a favicon.ico call under unclear conditions. This may also explain older Windows NT 6.2 version in User-Agent, if this Snagit version itself was relatively old and not compiled for Windows 6.3.

Now, does it mean that an external application can request a target IP address from TOR Browser (Firefox), and TOR Browser will divulge IP address to it? Is it normal? This doesnt look good.

comment:4 Changed 4 years ago by mcs

Resolution: invalid
Status: newclosed

As you found out, any unrelated application that you run on your computer may leak your IP address. Undoubtedly, SnagIt got the IP address from the system (actually, it looks like SnagIt used the IE engine underneath). This same problem applies to plugins, etc.; see https://people.torproject.org/~andrew/website-stage/docs/faq.html.en#TBBFlash for example. Closing this ticket.

comment:5 Changed 4 years ago by torleak

Resolution: invalid
Status: closedreopened

Yes, I understand that any unrelated application may leak source IP address, under condition that user voluntarily specified a target IP address in this application.

I also understand that embedded TOR Browser plugin may leak source IP address, because it can obtain target IP address from TOR Browser itself.

But the situation described in the ticket is different. SnagIT is an external application for taking screenshots. It is not embedded as a plugin into TOR Browser. Obviously, user didnt provide target IP Address to SnagIt voluntarily. User just took screenshots from an area of TOR Browser window which contained a certain part of target website. When user took screenshots of different parts of the same website, no IP leaks occurred.

It means that external application requested target IP address from TOR Browser by parsing somehow a target website area inside TOR Browser, or requesting IP Address from TOR Browser. And TOR Browser divulged target IP Address.

Please confirm that such situation is normal and valid. If so, then you probably would want to update TOR Browser FAQ where a danger of taking screenshots of TOR Browser window content via any external application should be mentioned.

comment:6 Changed 4 years ago by mcs

On Windows, applications running at the same time as other applications can obtain the URL of the Firefox window via various IPC methods or by digging around within the open window hierarchy. For example, see:

http://stackoverflow.com/a/5318791/2517441

My guess is that it would be very difficult for Tor Browser to protect against this kind of access by other applications.

comment:7 Changed 4 years ago by gk

Resolution: invalid
Status: reopenedclosed

This is no Tor Browser issue, see comment:4 (which looks quite plausible) and is outside of the Tor Browser threat model: If you run other applications with network access on your computer then you must configure them to use Tor as well.

Note: See TracTickets for help on using tickets.