Orfox leaks actual IP address when downloading

[Chai T. Rex]

On ​xordern's extended check, the actual IP address is leaked when using Orfox.

[Chai T. Rex]

Orfox version is "Fennec-52.7.3esr/TorBrowser-7.5.3/Orfox-1.5.2-RC-1" updated on 5 April 2018 ​on the Google Play Store. Default settings used.

[sysrqb]

Did your IP address leak? I tested this with the same version - except installed from f-droid, and both IP addresses are the same.

That website is from 4 years ago, so this should not be a bug anymore.

[sysrqb]

I should also mention that I would not be surprised if the two IP addresses are different, but neither of them should be your real IP address.

[Chai T. Rex]

It was definitely my real home cable Internet address. Now it's showing my real Starbucks IP address. I checked what my non-Tor IP address was at both locations in the Chrome browser on my laptop on the same WiFi connection as my Android phone without using a proxy server by ​searching Google for `what is my ip address`. It matched the real IP address revealed by xordern's extended check after the file download step on that page in Orfox.

Perhaps the version on the Google Play Store is buggy. Or perhaps it's using something buggy on my ZTE N817 phone using Android 4.4.4, kernel 3.4.0-gaa480ec (wangyd@ztesuper25) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Wed Feb 28 15:38:36 CST 2018 zte-kernel@Zdroid-SMT, SW version N817V1.0.0B16.

[gk]

Replying to Chai T. Rex:

It was definitely my real home cable Internet address. Now it's showing my real Starbucks IP address. I checked what my non-Tor IP address was at both locations in the Chrome browser on my laptop on the same WiFi connection as my Android phone without using a proxy server by ​searching Google for `what is my ip address`. It matched the real IP address revealed by xordern's extended check after the file download step on that page in Orfox.

Perhaps the version on the Google Play Store is buggy. Or perhaps it's using something buggy on my ZTE N817 phone using Android 4.4.4, kernel 3.4.0-gaa480ec (wangyd@ztesuper25) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Wed Feb 28 15:38:36 CST 2018 zte-kernel@Zdroid-SMT, SW version N817V1.0.0B16.

With a clean Orfox session I can't reproduce this proxy bypass. However, here is what you might have done:

1) Tried to open the file with the video player: that leaks your IP address on the website
2) Tried to download the video file over Orfox *after* you did 1). Interestingly in this case it is still showing my real IP address. This could be a bug in the website or it could be indeed a proxy bypass, I have not checked.

[Chai T. Rex]

Yes, I was trying to open it with the default video player application both times. I've retried with the Orfox downloader instead and the IP address no longer leaks.

Could Orfox generate a warning message when an external application is about to be invoked in a way that could leak the IP address?

[sysrqb]

Replying to Chai T. Rex:

Yes, I was trying to open it with the default video player application both times. I've retried with the Orfox downloader instead and the IP address no longer leaks.

Could Orfox generate a warning message when an external application is about to be invoked in a way that could leak the IP address?

Yes, I agree, thanks for reporting this! I opened #26529 for implementing that.

I'm closing this as not a bug because this isn't a proxy-bypass within Orfox, itself. This is a general usability problem that we'll improve in #26529.