Opened 2 years ago

Closed 2 years ago

#23686 closed defect (not a bug)

When "http://" is in front of a V3 link, Tor browser will search the text after "http://" on duckduckgo or any default search engine you use.

Reported by: Dbryrtfbcbhgf Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When "http://" is in front of a V3 link, Tor browser will search the entire link on duckduckgo,
​copy and paste the link below straight into the Tor browser URL field and click GO.
If the user is trying to keep their hidden service secret, this bug will cause duckduckgo to see the unencrypted link, allowing attackers to easily find their hidden service if DuckDuckGo is compromised.
http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion

Tor Browser 7.5a5

Child Tickets

Change History (16)

comment:1 Changed 2 years ago by Dbryrtfbcbhgf

When I changed my default search engine to twitter under preferences and it will send twitter the V3 unencrypted link!
https://twitter.com/search?q=%E2%80%8Bhttp%3A%2F%2Fozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion&partner=Firefox&source=desktop-search.
Some of the links on https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions start with "https://" and they are effected by this bug.

Last edited 2 years ago by Dbryrtfbcbhgf (previous) (diff)

comment:2 Changed 2 years ago by Dbryrtfbcbhgf

Summary: When "http://" is in front of a V3 link, Tor browser will search the text after "http://" on duckduckgoWhen "http://" is in front of a V3 link, Tor browser will search the text after "http://" on duckduckgo or any default search engine you use.

comment:3 Changed 2 years ago by arma

Does it happen in stable (7.0.6) too?

Did you change anything in your 7.5a5?

Are you sure you're putting it into the url bar?

This sounds like a "surely that behavior doesn't actually happen" situation.

comment:4 Changed 2 years ago by Dbryrtfbcbhgf

This was a fresh install of 7.5a5 and I set the security settings to high then all I do it copy ​http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion
and paste it into the url bar, and it searches it with my default search engine.
After another fresh install the bug is not occurring, But I got a screen recording while it was occurring the first time.
Here is the screen recording
https://www.expirebox.com/download/530f37ff9425617b71855c6e6e3f428d.html

comment:5 Changed 2 years ago by Dbryrtfbcbhgf

In the first part of the video when I paste the link into the url bar there is a popup right under the url bar that says the link url and -- Search with duckduckgo. This occurs on 00:01 in the video.
and it does not seam to occur on 7.0.6

Last edited 2 years ago by Dbryrtfbcbhgf (previous) (diff)

comment:6 Changed 2 years ago by cypherpunks

I'm pretty sure you modified the option for search suggestions in about:preferences#search.

comment:7 in reply to:  6 ; Changed 2 years ago by Dbryrtfbcbhgf

Replying to cypherpunks:

I'm pretty sure you modified the option for search suggestions in about:preferences#search.

I just downloaded Tor Browser form https://dist.torproject.org/torbrowser/7.5a5/
Then I opened it and changed the security settings to high, I then opened when to https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions
in Safari and copied ​http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion
and pasted it into Tor Browser 7.5a5 and then I recorded the bug and reported it. I did not change anything else before the recording.
Enabling "Provide search Suggestions" does cause the bug to occur but I did not manually enable them after the fresh install.

Last edited 2 years ago by Dbryrtfbcbhgf (previous) (diff)

comment:8 in reply to:  7 Changed 2 years ago by cypherpunks

Replying to Dbryrtfbcbhgf:

Enabling "Provide search Suggestions" does cause the bug to occur but I did not manually enable them after the fresh install.

So it's enabled in about:preferences#search for your fresh install?

comment:9 Changed 2 years ago by Dbryrtfbcbhgf

I can Confirm that that option is disabled and I was able to capture another video reproducing the bug while the option is DISABLED, I captured my old Tor Browser data file. Here it is, both the torbrowser-data and the new video
https://www.expirebox.com/download/d9d3fe690a576051e0694686b46f8dc6.html
The odd thing is that the bug does not always occur.

Last edited 2 years ago by Dbryrtfbcbhgf (previous) (diff)

comment:10 in reply to:  9 ; Changed 2 years ago by cypherpunks

Oh right I only understood the issue now, it's not about providing search suggestions but it would go to the DuckDuckGo search engine directly. Nice catch! This happened for 7.5a4 FWIW (BTW it happened for me sometimes when selecting the URL of some links in DDG and displacing it to a new tab, a DDG search would happen despite the URL having https://)

Last edited 2 years ago by cypherpunks (previous) (diff)

comment:11 in reply to:  10 Changed 2 years ago by Dbryrtfbcbhgf

Replying to cypherpunks:

Oh right I only understood the issue now, it's not about providing search suggestions but it would go to the DuckDuckGo search engine directly. Nice catch! (BTW it happened for me sometimes when selecting some links and taking them to a new tab, a DDG search would happen despite the URL having https://)

Great, thanks cypherpunks for the confirmation that your were also able to reproduce the bug.

Last edited 2 years ago by Dbryrtfbcbhgf (previous) (diff)

comment:12 Changed 2 years ago by arma

Next thought, I wonder if what you are pasting has some letters at the front, before the http://.

comment:13 in reply to:  12 Changed 2 years ago by Dbryrtfbcbhgf

Replying to arma:

Next thought, I wonder if what you are pasting has some letters at the front, before the http://.

In the video I made, it shows that there is no space nor no extra characters before HTTP
https://www.expirebox.com/download/d9d3fe690a576051e0694686b46f8dc6.html

Last edited 2 years ago by Dbryrtfbcbhgf (previous) (diff)

comment:14 Changed 2 years ago by dcf

I would guess that this is partially a Trac issue. It's what arma said in comment:12. Trac puts a little icon in front of external links, and the icon is actually a span element that contains a zero-width space (U+200B). It's the presence of this invisible character that makes the browser go to a search engine.

If you copy the link and are very careful not to include the icon when you highlight, then it will work and not go to a search engine. Also if you right-click and Copy Link Location.

Try copying a link and pasting it into a Vim buffer. Vim will make the zero-width space visible and color it blue:

<200b>http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion

The same thing happens with non-onion links, like the one Dbryrtfbcbhgf posted in comment:13.

comment:15 in reply to:  14 Changed 2 years ago by arma

Replying to dcf:

Trac puts a little icon in front of external links, and the icon is actually a span element that contains a zero-width space

Try pasting the highlighted stuff into the tor browser window directly. If it's a real http url, it will try to load. If it is not, it will do nothing.

comment:16 Changed 2 years ago by cypherpunks

Resolution: not a bug
Status: newclosed
Note: See TracTickets for help on using tickets.