Opened 2 years ago

Last modified 23 months ago

#27904 new defect

Tor Browser for Android does not protect master password screen with FLAG_SECURE

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: sysrqb, igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


This issue got reported to us by nightwatch-cybersecurity at our HackerOne bug bounty program and subsequently filed at Mozilla's bug tracker (

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by sysrqb

Keywords: tba-a3 added

Hrm. Interesting. We need to enforce setting FLAG_SECURE within more parts of the app. We enable it in the browser context ( but we don't set it anywhere else (such as when we switch to the preferences menu). We should enable this for every Activity.

Ideally, I'd like a pref where the user can toggle it (similar to Signal) - upstream bug:

comment:2 Changed 23 months ago by gk

Keywords: tba-a3 removed
Note: See TracTickets for help on using tickets.