Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings.

The Android WebView component upon which Orweb is built, does not pass on the proxy settings for the web page to embedded media players it displays. Additionally, even though the proper API calls are made to turn off all plugins, apparently HTML5 video and audio players not considered plugins, and there is no way to disable them at an API level.

We are currently working to determine which versions of Android these issues occur on. We have a fix implemented that filters all video and audio tag instances out of retrieved content, and on newer versions of Android, that requires a user gesture/tap before media players are loaded.

We expect to have a fix out in the next 24 to 48 hours. In the meantime, if you are using Orweb with the goal of strong anonymity, and not just circumvention or proxying, we advise you to avoid all sites that may include HTML5 video or audio content embedded in the pages, or to just stop using the app all together. Alternatively, you can use Firefox for Android with the Proxy Mobile add-on (load this XPI within Firefox: https://guardianproject.info/releases/proxymob-latest.xpi)

This does NOT affect users who use the root mode with transparent proxying, as that handles proxying the entire traffic of the entire device or a particular app.

26 comments for “Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

  1. 2013/08/24 at 12:59 pm

    Hope this will not effect on me, as I am using root mode with transparent proxying.


    • n8fr8
      2013/08/25 at 12:40 pm

      Yes, it will not affect you. Also, it does not affect Firefix with the Proxy Mobile add-on.

    • 2015/01/01 at 3:20 am


  2. Bas
    2013/08/26 at 3:44 pm

    I noticed that even on a rooted device and using transparent proxy and the
    tethering option selected in Orbot it still shows your own, mobile isp, ip.

    I did not manage to fix this. Only the use of a real VPN works
    in this case. We now use both m2m vpn and orbot on our mobile devices.


    • n8fr8
      2013/08/26 at 8:55 pm

      does the notification “Transparent Proxying ENABLED” appear? When you say “it still shows your own mobile isp ip”, how are you testing that?

      Transparent Proxying definitely works on Android devices with root that have the proper iptables option. Make sure to upgrade to our latest 12.0.5 release.

  3. torifyme
    2013/09/01 at 11:44 am


    Is there another leak because Orweb is exposing the OS version and device name in ‘user-agent’ string when visting

    http://ip-check.info -> Start test

    Is there any chance to get this user-agent blocked oder replaced by Tor Browser Bundle string?


  4. torifyme
    2013/09/01 at 12:17 pm

    Why does the user-agent string expose browser and os version as well as device name? Website for says orweb sets user-agent so “S2” but that isn’t the case!

  5. Me
    2013/09/13 at 10:48 am

    Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the http Stream might be able to insert -tags in order to determine the actual ip of the user.

    • n8fr8
      2013/09/20 at 4:56 pm

      Unfortunately, it is not a fix we can work around using any standard API.

      We are now recommending users switch to Firefox with our Proxy Mobile add-on. Full instructions are here: https://guardianproject.info/apps/proxymob/

  6. Anonymous
    2013/09/13 at 12:48 pm


  7. Me
    2013/09/14 at 11:41 am

    Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the HTTP stream or HTML code might be able to insert -tags in order to determine the actual ip of the user. Thank you.

  8. anon
    2013/10/14 at 3:01 am

    Does the “10 Easy Steps” approach to using firefox address java script vulnerabilities?

  9. jay
    2013/11/21 at 1:54 pm

    Ok so a few questions I use orweb to make sure that I’m connected to tor and FireFox to browse the web well my ip on FireFox ip says its something other then orweb is it still safe and one more thing how safe am I downloading files thru FireFox I’m not rooted don’t know if I will b for some time

    • 2013/11/25 at 8:10 am

      Hi Jay! No, your current setup probably isn’t safe. By default Orbot+Orweb doesn’t route all internet through Tor, only Orweb is using Tor. To send Firefox through Tor also, you need to install the mobile proxy addon. Visit this page to find the instructions and the download link: https://guardianproject.info/apps/proxymob/

      Remember, you can go to https://check.torproject.org to see if you’re correctly connected to Tor in firefox.

  10. user1252
    2013/12/11 at 3:12 am

    I noticed that Orweb on both Google Play and https://guardianproject.info/releases/ were updated on Nov 29 and 30.

    Has this IP leak been resolved in Orweb-release-0.5.1.apk?

    • n8fr8
      2013/12/13 at 10:53 am

      We were attempting to fix a bug with Android 4.4, that has made proxy setup not work. However, it was not widely successful, only on some devices.

      We are moving towards a new major update with Firefox/Mozilla Gecko as the base, which will fix all the leaks issues, and add a number of improvements on other fronts as well. The only downside is that the app will be 20-30M in size. We should have an alpha release out shortly.

  11. user1252
    2013/12/11 at 3:16 am

    Is Orweb based on Firefox, Android ASOP browser, or some other browser?

    • Hans-Christoph Steiner
      2013/12/11 at 11:15 am

      Orweb is based on the built-in Android WebView, and therefore inherits all its limitations. We’ve recently decided that those limitations are too restricting, and Google is moving to its ChromeView anyway, so we have started working on Orfox, a privacy browser based on mobile Firefox.

    • n8fr8
      2013/12/13 at 10:51 am

      It is based on Android AOSP browser “WebView” component for now. We are moving to Firefox Gecko base shortly.

  12. Daylily
    2014/01/13 at 11:07 pm

    My IP is only concealed if I use my phone’s data plan. If I am connected to WiFi, it will show that address.

  13. cmon
    2014/05/04 at 6:26 pm

    Any news?
    Whats the best option,orweb,orfox or firefox + addon?

  14. anonymous
    2014/08/23 at 6:57 am

    The latest Firefox v31.0 on Android 4.4 leaks the traffic, even with the proxy mobile (v0.0.10) pointing to a TOR proxy.
    This doesn’t matter if the TOR proxy is local (Orb on android) or on a remote machine (Tor on a PC). The leakage happens on the tablet itself.

    The leakage is web site specific. For example, a very unobnoxious web site http://www.whatisb-12.com always leaks. Many ad links leak through.

    Testing the same scenario with a desktop Firefox does not leak.

    You can test this by simply watching your router’s web site visit logs while doing the browsing.

    Don’t know how long the leaks have been going on. Searching reports on such a problem yield nothing. It’s been unnoticed for too long.

    It seems the problem is Firefox android.

  15. anonymous
    2014/08/23 at 7:52 am

    Just want to follow up to add more details of the setup:

    Nexus 7: android 4.4.4
    Firefox: v35.0 (the latest)
    Proxy Mobile: 0.0.10, from theguardianproject
    Proxy setting: SOCKS5 only to local:9050 or :9050
    DNS: go through socks, enabled

    Leakage occurs on many but not all web sites. The web sites do not seem to have usually content e.g. videos.

    When using desktop firefox ESR, SOCKS proxy to the same tor, no leakage.

  16. Toruser
    2014/10/12 at 11:33 pm

    The user agent displayed by http://ip-check.info can be changed from Settings -> User Agent to TorBrowserBundle to be the most generic, however I did noticed at times that the user agent may disclose the device name right when you start Orweb the first time after installation/update.
    The bigger issue is the media tags issue though.

Leave a Reply

Your email address will not be published. Required fields are marked *