Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings.

The Android WebView component upon which Orweb is built, does not pass on the proxy settings for the web page to embedded media players it displays. Additionally, even though the proper API calls are made to turn off all plugins, apparently HTML5 video and audio players not considered plugins, and there is no way to disable them at an API level.

We are currently working to determine which versions of Android these issues occur on. We have a fix implemented that filters all video and audio tag instances out of retrieved content, and on newer versions of Android, that requires a user gesture/tap before media players are loaded.

We expect to have a fix out in the next 24 to 48 hours. In the meantime, if you are using Orweb with the goal of strong anonymity, and not just circumvention or proxying, we advise you to avoid all sites that may include HTML5 video or audio content embedded in the pages, or to just stop using the app all together. Alternatively, you can use Firefox for Android with the Proxy Mobile add-on (load this XPI within Firefox: https://guardianproject.info/releases/proxymob-latest.xpi)

This does NOT affect users who use the root mode with transparent proxying, as that handles proxying the entire traffic of the entire device or a particular app.

orbot  orweb  tor