Opened 2 years ago

Last modified 2 years ago

#23963 new defect

Tor Browser can use a Tor that's running under another user

Reported by: teor Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I've discovered an issue where Tor Browser fails to launch tor, but
still connects to websites via whatever SOCKS proxy is running on port
9150.

I believe this issue only happens in Tor Browser 7.0 and later, because
of the multiprocess feature. I believe it only happens on macOS, due to
the way Tor Browser is launched to open links. But I haven't tested any
other versions or platforms.

I'm using Tor Browser 7.0.5 on macOS 10.12.6

Here are the steps to reproduce:

  1. Open a copy of Tor Browser in one user account
  2. Switch to a second user account
  3. Set Tor Browser as the default browser
  4. Make sure Tor Browser is quit
  5. Open a link by right-clicking on the link text and selecting "open URL" (or by double-clicking a webloc file in Finder, or clicking a link in any rendered HTML, such as a Mail message)

Tor Browser fails to launch tor, but opens the link in a browser window
behind Tor launcher, and loads the link content via whatever SOCKS
proxy is running on port 9150. (In this case, another tor instance run
by another user.)

This could also happen using another instance of Tor Browser run by the
same user, but it's harder to reproduce, because links typically open
in the instance of the default browser that's already open.

I don't know if update checks or downloads occur over an untrusted
SOCKSPort, but I haven't seen any update notifications appear in my
testing.

Child Tickets

Change History (5)

comment:1 Changed 2 years ago by teor

Here's an update from my original email:

It's not possible to interact with this window, because Tor Launcher is still open. So if this isn't a security bug, it's still an annoying UI bug.

comment:2 Changed 2 years ago by mcs

I think this issue probably occurs on all platforms. I do not know of a way to ensure that the SOCKSPort is "trusted" except to switch to Unix domain sockets (which is possible via hidden prefs inside Tor Browser). I am also not sure how Tor Browser can tell the difference between "I am using a system Tor which is what the user wants" and "I am using a leftover Tor that was possibly started by another user." I think the argument will be "If Tor Browser is configured to start tor, it should only use the tor that it starts" (which seems reasonable but may be difficult to implement).

One good step in the right direction would be to prevent URLs from being opened until after Tor Launcher has finished its business. I thought we had a ticket for that, but I cannot find it right now. I wonder if we should create a parent ticket to track this and related issues, e.g., "support Tor Browser as the system default browser."

comment:3 in reply to:  2 ; Changed 2 years ago by yawning

Replying to mcs:

I do not know of a way to ensure that the SOCKSPort is "trusted" except to switch to Unix domain sockets (which is possible via hidden prefs inside Tor Browser).

Beyond what's done now (Query net/listeners/socks over the command port), probably not much without patching tor.

I am also not sure how Tor Browser can tell the difference between "I am using a system Tor which is what the user wants" and "I am using a leftover Tor that was possibly started by another user."

Getting Tor Browser to use a system tor requires a bunch of env vars to be set to suppress launching the tor instance.

Edit: I don't think leftover processes are an issue here. tor-launcher sets __OwningControllerProcess, and the repro instructions as far as I can tell leaves a Tor Browser instance running...

I think the argument will be "If Tor Browser is configured to start tor, it should only use the tor that it starts" (which seems reasonable but may be difficult to implement).

SO_PASSCRED and SCM_CREDENTIALS makes this trivial on sensible systems.

Last edited 2 years ago by yawning (previous) (diff)

comment:4 in reply to:  3 ; Changed 2 years ago by teor

Replying to yawning:

Replying to mcs:

I am also not sure how Tor Browser can tell the difference between "I am using a system Tor which is what the user wants" and "I am using a leftover Tor that was possibly started by another user."

Getting Tor Browser to use a system tor requires a bunch of env vars to be set to suppress launching the tor instance.

It used to require this in older Firefox versions.

In recent versions, Firefox will happily open links before Tor Launcher has finished, at least on macOS..

comment:5 in reply to:  4 Changed 2 years ago by yawning

Replying to teor:

Replying to yawning:

Replying to mcs:

I am also not sure how Tor Browser can tell the difference between "I am using a system Tor which is what the user wants" and "I am using a leftover Tor that was possibly started by another user."

Getting Tor Browser to use a system tor requires a bunch of env vars to be set to suppress launching the tor instance.

It used to require this in older Firefox versions.

In recent versions, Firefox will happily open links before Tor Launcher has finished, at least on macOS..

You missed my point, which is that, "It's trivial to tell if the user wants a system tor". Regardless of the current buggy behavior, the fixed behavior can distinguish between the two cases, by checking an env var.

Note: See TracTickets for help on using tickets.