Skip to content
Snippets Groups Projects
New look: Off

Orfox leaks actual IP address when downloading

    • Closed (moved) Issue created by Trac @tracbot

    On xordern's extended check, the actual IP address is leaked when using Orfox.

    Trac:
    Username: Chai T. Rex

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items 0

    • No child items are currently assigned. Use child items to break down this issue into smaller parts.

    Activity

    • Trac added component::applications/tor browser owner::n8fr8 priority::medium reporter::Chai T. Rex resolution::not a bug severity::critical status::closed tbb-mobile tbb-proxy-bypass type::defect labels

      added component::applications/tor browser owner::n8fr8 priority::medium reporter::Chai T. Rex resolution::not a bug severity::critical status::closed tbb-mobile tbb-proxy-bypass type::defect labels

    • Trac
      Trac @tracbot ·
      Author

      Orfox version is "Fennec-52.7.3esr/TorBrowser-7.5.3/Orfox-1.5.2-RC-1" updated on 5 April 2018 on the Google Play Store. Default settings used.

      Trac:
      Username: Chai T. Rex

    • S
      Matthew Finkel @sysrqb ·

      Did your IP address leak? I tested this with the same version - except installed from f-droid, and both IP addresses are the same.

      That website is from 4 years ago, so this should not be a bug anymore.

      Trac:
      Severity: Normal to Critical
      Status: new to needs_information

    • S
      Matthew Finkel @sysrqb ·

      I should also mention that I would not be surprised if the two IP addresses are different, but neither of them should be your real IP address.

    • S
      Matthew Finkel @sysrqb ·

      Trac:
      Cc: N/A to igt0
      Keywords: N/A deleted, tbb-mobile added
      Component: Applications/Orbot to Applications/Tor Browser

    • Trac
      Trac @tracbot ·
      Author

      It was definitely my real home cable Internet address. Now it's showing my real Starbucks IP address. I checked what my non-Tor IP address was at both locations in the Chrome browser on my laptop on the same WiFi connection as my Android phone without using a proxy server by searching Google for what is my ip address. It matched the real IP address revealed by xordern's extended check after the file download step on that page in Orfox.

      Perhaps the version on the Google Play Store is buggy. Or perhaps it's using something buggy on my ZTE N817 phone using Android 4.4.4, kernel 3.4.0-gaa480ec (wangyd@ztesuper25) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Wed Feb 28 15:38:36 CST 2018 zte-kernel@Zdroid-SMT, SW version N817V1.0.0B16.

      Trac:
      Username: Chai T. Rex

    • Georg Koppen
      Georg Koppen @gk ·

      Replying to Chai T. Rex:

      It was definitely my real home cable Internet address. Now it's showing my real Starbucks IP address. I checked what my non-Tor IP address was at both locations in the Chrome browser on my laptop on the same WiFi connection as my Android phone without using a proxy server by searching Google for what is my ip address. It matched the real IP address revealed by xordern's extended check after the file download step on that page in Orfox.

      Perhaps the version on the Google Play Store is buggy. Or perhaps it's using something buggy on my ZTE N817 phone using Android 4.4.4, kernel 3.4.0-gaa480ec (wangyd@ztesuper25) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Wed Feb 28 15:38:36 CST 2018 zte-kernel@Zdroid-SMT, SW version N817V1.0.0B16.

      With a clean Orfox session I can't reproduce this proxy bypass. However, here is what you might have done:

      1. Tried to open the file with the video player: that leaks your IP address on the website
      2. Tried to download the video file over Orfox after you did 1). Interestingly in this case it is still showing my real IP address. This could be a bug in the website or it could be indeed a proxy bypass, I have not checked.
    • Trac
      Trac @tracbot ·
      Author

      Yes, I was trying to open it with the default video player application both times. I've retried with the Orfox downloader instead and the IP address no longer leaks.

      Could Orfox generate a warning message when an external application is about to be invoked in a way that could leak the IP address?

      Trac:
      Username: Chai T. Rex

    • Georg Koppen
      Georg Koppen @gk ·

      Trac:
      Keywords: N/A deleted, tbb-proxy-bypass added

    • S
      Matthew Finkel @sysrqb ·

      Replying to Chai T. Rex:

      Yes, I was trying to open it with the default video player application both times. I've retried with the Orfox downloader instead and the IP address no longer leaks.

      Could Orfox generate a warning message when an external application is about to be invoked in a way that could leak the IP address?

      Yes, I agree, thanks for reporting this! I opened #26529 (moved) for implementing that.

      I'm closing this as not a bug because this isn't a proxy-bypass within Orfox, itself. This is a general usability problem that we'll improve in #26529 (moved).

      Trac:
      Status: needs_information to closed
      Resolution: N/A to not a bug

    • Trac closed

      closed

    • Trac moved to tpo/applications/tor-browser#26252 (closed)

      moved to tpo/applications/tor-browser#26252 (closed)

    Please register or sign in to reply