Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings.

The Android WebView component upon which Orweb is built, does not pass on the proxy settings for the web page to embedded media players it displays. Additionally, even though the proper API calls are made to turn off all plugins, apparently HTML5 video and audio players not considered plugins, and there is no way to disable them at an API level.

We are currently working to determine which versions of Android these issues occur on. We have a fix implemented that filters all video and audio tag instances out of retrieved content, and on newer versions of Android, that requires a user gesture/tap before media players are loaded.

We expect to have a fix out in the next 24 to 48 hours. In the meantime, if you are using Orweb with the goal of strong anonymity, and not just circumvention or proxying, we advise you to avoid all sites that may include HTML5 video or audio content embedded in the pages, or to just stop using the app all together. Alternatively, you can use Firefox for Android with the Proxy Mobile add-on (load this XPI within Firefox: https://guardianproject.info/releases/proxymob-latest.xpi)

This does NOT affect users who use the root mode with transparent proxying, as that handles proxying the entire traffic of the entire device or a particular app.

26 thoughts on “Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

  1. I noticed that even on a rooted device and using transparent proxy and the
    tethering option selected in Orbot it still shows your own, mobile isp, ip.

    I did not manage to fix this. Only the use of a real VPN works
    in this case. We now use both m2m vpn and orbot on our mobile devices.

    Bas

    1. does the notification “Transparent Proxying ENABLED” appear? When you say “it still shows your own mobile isp ip”, how are you testing that?

      Transparent Proxying definitely works on Android devices with root that have the proper iptables option. Make sure to upgrade to our latest 12.0.5 release.

  2. Hi!

    Is there another leak because Orweb is exposing the OS version and device name in ‘user-agent’ string when visting

    http://ip-check.info -> Start test

    Is there any chance to get this user-agent blocked oder replaced by Tor Browser Bundle string?

    Greetz
    torifyme

  3. Why does the user-agent string expose browser and os version as well as device name? Website for says orweb sets user-agent so “S2″ but that isn’t the case!

  4. Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the http Stream might be able to insert -tags in order to determine the actual ip of the user.

  5. Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the HTTP stream or HTML code might be able to insert -tags in order to determine the actual ip of the user. Thank you.

  6. Ok so a few questions I use orweb to make sure that I’m connected to tor and FireFox to browse the web well my ip on FireFox ip says its something other then orweb is it still safe and one more thing how safe am I downloading files thru FireFox I’m not rooted don’t know if I will b for some time

    1. We were attempting to fix a bug with Android 4.4, that has made proxy setup not work. However, it was not widely successful, only on some devices.

      We are moving towards a new major update with Firefox/Mozilla Gecko as the base, which will fix all the leaks issues, and add a number of improvements on other fronts as well. The only downside is that the app will be 20-30M in size. We should have an alpha release out shortly.

    1. Orweb is based on the built-in Android WebView, and therefore inherits all its limitations. We’ve recently decided that those limitations are too restricting, and Google is moving to its ChromeView anyway, so we have started working on Orfox, a privacy browser based on mobile Firefox.

    2. It is based on Android AOSP browser “WebView” component for now. We are moving to Firefox Gecko base shortly.

  7. My IP is only concealed if I use my phone’s data plan. If I am connected to WiFi, it will show that address.

  8. The latest Firefox v31.0 on Android 4.4 leaks the traffic, even with the proxy mobile (v0.0.10) pointing to a TOR proxy.
    This doesn’t matter if the TOR proxy is local (Orb on android) or on a remote machine (Tor on a PC). The leakage happens on the tablet itself.

    The leakage is web site specific. For example, a very unobnoxious web site http://www.whatisb-12.com always leaks. Many ad links leak through.

    Testing the same scenario with a desktop Firefox does not leak.

    You can test this by simply watching your router’s web site visit logs while doing the browsing.

    Don’t know how long the leaks have been going on. Searching reports on such a problem yield nothing. It’s been unnoticed for too long.

    It seems the problem is Firefox android.

  9. Just want to follow up to add more details of the setup:

    Nexus 7: android 4.4.4
    Firefox: v35.0 (the latest)
    Proxy Mobile: 0.0.10, from theguardianproject
    Proxy setting: SOCKS5 only to local:9050 or :9050
    DNS: go through socks, enabled

    Leakage occurs on many but not all web sites. The web sites do not seem to have usually content e.g. videos.

    When using desktop firefox ESR, SOCKS proxy to the same tor, no leakage.

  10. The user agent displayed by http://ip-check.info can be changed from Settings -> User Agent to TorBrowserBundle to be the most generic, however I did noticed at times that the user agent may disclose the device name right when you start Orweb the first time after installation/update.
    The bigger issue is the media tags issue though.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>