#26252 closed defect (not a bug)

Orfox leaks actual IP address when downloading

Reported by: Chai T. Rex Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords: tbb-mobile, tbb-proxy-bypass
Cc: igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On xordern's extended check, the actual IP address is leaked when using Orfox.

Child Tickets

Change History (9)

comment:1 Changed 19 months ago by Chai T. Rex

Orfox version is "Fennec-52.7.3esr/TorBrowser-7.5.3/Orfox-1.5.2-RC-1" updated on 5 April 2018 on the Google Play Store. Default settings used.

Last edited 19 months ago by Chai T. Rex (previous) (diff)

comment:2 Changed 19 months ago by sysrqb

Severity: NormalCritical
Status: newneeds_information

Did your IP address leak? I tested this with the same version - except installed from f-droid, and both IP addresses are the same.

That website is from 4 years ago, so this should not be a bug anymore.

comment:3 Changed 19 months ago by sysrqb

I should also mention that I would not be surprised if the two IP addresses are different, but neither of them should be your real IP address.

comment:4 Changed 19 months ago by sysrqb

Cc: igt0 added
Component: Applications/OrbotApplications/Tor Browser
Keywords: tbb-mobile added

comment:5 Changed 19 months ago by Chai T. Rex

It was definitely my real home cable Internet address. Now it's showing my real Starbucks IP address. I checked what my non-Tor IP address was at both locations in the Chrome browser on my laptop on the same WiFi connection as my Android phone without using a proxy server by searching Google for `what is my ip address`. It matched the real IP address revealed by xordern's extended check after the file download step on that page in Orfox.

Perhaps the version on the Google Play Store is buggy. Or perhaps it's using something buggy on my ZTE N817 phone using Android 4.4.4, kernel 3.4.0-gaa480ec (wangyd@ztesuper25) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Wed Feb 28 15:38:36 CST 2018 zte-kernel@Zdroid-SMT, SW version N817V1.0.0B16.

Last edited 19 months ago by Chai T. Rex (previous) (diff)

comment:6 in reply to:  5 Changed 19 months ago by gk

Replying to Chai T. Rex:

It was definitely my real home cable Internet address. Now it's showing my real Starbucks IP address. I checked what my non-Tor IP address was at both locations in the Chrome browser on my laptop on the same WiFi connection as my Android phone without using a proxy server by searching Google for `what is my ip address`. It matched the real IP address revealed by xordern's extended check after the file download step on that page in Orfox.

Perhaps the version on the Google Play Store is buggy. Or perhaps it's using something buggy on my ZTE N817 phone using Android 4.4.4, kernel 3.4.0-gaa480ec (wangyd@ztesuper25) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Wed Feb 28 15:38:36 CST 2018 zte-kernel@Zdroid-SMT, SW version N817V1.0.0B16.

With a clean Orfox session I can't reproduce this proxy bypass. However, here is what you might have done:

1) Tried to open the file with the video player: that leaks your IP address on the website
2) Tried to download the video file over Orfox *after* you did 1). Interestingly in this case it is still showing my real IP address. This could be a bug in the website or it could be indeed a proxy bypass, I have not checked.

comment:7 Changed 19 months ago by Chai T. Rex

Yes, I was trying to open it with the default video player application both times. I've retried with the Orfox downloader instead and the IP address no longer leaks.

Could Orfox generate a warning message when an external application is about to be invoked in a way that could leak the IP address?

comment:8 Changed 19 months ago by gk

Keywords: tbb-proxy-bypass added

comment:9 in reply to:  7 Changed 18 months ago by sysrqb

Resolution: not a bug
Status: needs_informationclosed

Replying to Chai T. Rex:

Yes, I was trying to open it with the default video player application both times. I've retried with the Orfox downloader instead and the IP address no longer leaks.

Could Orfox generate a warning message when an external application is about to be invoked in a way that could leak the IP address?

Yes, I agree, thanks for reporting this! I opened #26529 for implementing that.

I'm closing this as not a bug because this isn't a proxy-bypass within Orfox, itself. This is a general usability problem that we'll improve in #26529.

Note: See TracTickets for help on using tickets.