Opened 12 months ago

Last modified 10 months ago

#27431 reopened defect

TBA connects to location.services.mozilla.com

Reported by: towiw3 Owned by: sysrqb
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-mobile
Cc: tbb-team, igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Why does it connect to location.services.mozilla.com? It also connects to blocklists.settings.services.mozilla.com but there is already a ticket for that: https://trac.torproject.org/projects/tor/ticket/16931

I think TBA should not connect to Mozilla at all. By default it should not connect to anything and it should only connect when users ask it to.

Child Tickets

Change History (4)

comment:1 Changed 10 months ago by sysrqb

Cc: tbb-team igt0 added
Owner: changed from tbb-team to sysrqb
Severity: NormalMajor
Status: newassigned

Thanks for reporting this!

Ugh, okay. This is exactly what we feared. It looks like this is the result of a bug within the Android core HTTP library. This leak is already fixed in the more recent releases of Android. In particular, any version after Android O (API 26+) should not leak DNS queries.

I didn't catch this in #21863 because I only audited the master branch. You can see the leak here, in Marshmallow:

    if (proxy.type() == Proxy.Type.DIRECT || proxy.type() == Proxy.Type.SOCKS) {
      socketHost = address.getUriHost();
      socketPort = getEffectivePort(uri);
    } else {
      SocketAddress proxyAddress = proxy.address();
      if (!(proxyAddress instanceof InetSocketAddress)) {
        throw new IllegalArgumentException(                                                                                                                                                                        
            "Proxy.address() is not an " + "InetSocketAddress: " + proxyAddress.getClass());
      }   
      InetSocketAddress proxySocketAddress = (InetSocketAddress) proxyAddress;
      socketHost = getHostString(proxySocketAddress);
      socketPort = proxySocketAddress.getPort();
    }   

    if (socketPort < 1 || socketPort > 65535) {
      throw new SocketException("No route to " + socketHost + ":" + socketPort
          + "; port is out of range");
    }   

    // Try each address for best behavior in mixed IPv4/IPv6 environments.
    for (InetAddress inetAddress : network.resolveInetAddresses(socketHost)) {
      inetSocketAddresses.add(new InetSocketAddress(inetAddress, socketPort));
    }

And it is patched in Oreo:

    if (proxy.type() == Proxy.Type.SOCKS) {
      inetSocketAddresses.add(InetSocketAddress.createUnresolved(socketHost, socketPort));
    } else {
      // Try each address for best behavior in mixed IPv4/IPv6 environments.                                                                                                                                       
      List<InetAddress> addresses = address.getDns().lookup(socketHost);
      for (int i = 0, size = addresses.size(); i < size; i++) {
        InetAddress inetAddress = addresses.get(i);
        inetSocketAddresses.add(new InetSocketAddress(inetAddress, socketPort));
      }   
    } 

comment:2 Changed 10 months ago by sysrqb

Parent ID: #28125
Resolution: duplicate
Status: assignedclosed

I'll close this and we'll work on the master/parent ticket.

comment:3 Changed 10 months ago by sysrqb

Resolution: duplicate
Status: closedreopened

Actually, no, sorry. There is a second bug we should patch here. I agree we shouldn't contact Mozilla for this. Specifically, this occurs because Fennec makes a connection to location.services.mozilla.com and Mozilla responds with geo-location (based on some GeoIP database) for the incoming connection. The geo-location information is then used by the app for choosing the region-specific search engines provided in the app (or using a default set). This is not helpful for TBA users, and Mozilla only responds if the request includes a valid API key - which we don't have. As a result, TBA makes a useless request where it always uses the default search engines at the end.

comment:4 Changed 10 months ago by gk

Parent ID: #28125
Note: See TracTickets for help on using tickets.