Opened 3 weeks ago

#30427 new defect

Tor Bowser locale can be detected with FTP

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

xiaoyinl reported on HackerOne that the Tor Browser locale can be detected with FTP:

If a visitor navigates to a directory on a FTP server, Tor Browser shows a page displaying the directory tree. However, the source code of this page is generated by Tor Browser, rather than the server, because an FTP server only sends file info and the browser displays it in a nice format. Moreover, the FTP directory page is localized, even if the user has chosen not to reveal his/her UI language, i.e. privacy.spoof_english == 2.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.