The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings.

The Android WebView component upon which Orweb is built, does not pass on the proxy settings for the web page to embedded media players it displays. Additionally, even though the proper API calls are made to turn off all plugins, apparently HTML5 video and audio players not considered plugins, and there is no way to disable them at an API level.

We are currently working to determine which versions of Android these issues occur on. We have a fix implemented that filters all video and audio tag instances out of retrieved content, and on newer versions of Android, that requires a user gesture/tap before media players are loaded.

We expect to have a fix out in the next 24 to 48 hours. In the meantime, if you are using Orweb with the goal of strong anonymity, and not just circumvention or proxying, we advise you to avoid all sites that may include HTML5 video or audio content embedded in the pages, or to just stop using the app all together. Alternatively, you can use Firefox for Android with the Proxy Mobile add-on (load this XPI within Firefox: https://guardianproject.info/releases/proxymob-latest.xpi)

This does NOT affect users who use the root mode with transparent proxying, as that handles proxying the entire traffic of the entire device or a particular app.

Orweb Security Advisory: Possible IP leakage with HTML5 video/audio
Tagged on:         

26 thoughts on “Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

    • 2013/08/25 at 12:40 pm
      Permalink

      Yes, it will not affect you. Also, it does not affect Firefix with the Proxy Mobile add-on.

      Reply
  • 2013/08/26 at 3:44 pm
    Permalink

    I noticed that even on a rooted device and using transparent proxy and the
    tethering option selected in Orbot it still shows your own, mobile isp, ip.

    I did not manage to fix this. Only the use of a real VPN works
    in this case. We now use both m2m vpn and orbot on our mobile devices.

    Bas

    Reply
    • 2013/08/26 at 8:55 pm
      Permalink

      does the notification “Transparent Proxying ENABLED” appear? When you say “it still shows your own mobile isp ip”, how are you testing that?

      Transparent Proxying definitely works on Android devices with root that have the proper iptables option. Make sure to upgrade to our latest 12.0.5 release.

      Reply
  • 2013/09/01 at 11:44 am
    Permalink

    Hi!

    Is there another leak because Orweb is exposing the OS version and device name in ‘user-agent’ string when visting

    http://ip-check.info -> Start test

    Is there any chance to get this user-agent blocked oder replaced by Tor Browser Bundle string?

    Greetz
    torifyme

    Reply
  • 2013/09/01 at 12:17 pm
    Permalink

    Why does the user-agent string expose browser and os version as well as device name? Website for says orweb sets user-agent so “S2″ but that isn’t the case!

    Reply
  • 2013/09/13 at 10:48 am
    Permalink

    Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the http Stream might be able to insert -tags in order to determine the actual ip of the user.

    Reply
  • 2013/09/14 at 11:41 am
    Permalink

    Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the HTTP stream or HTML code might be able to insert -tags in order to determine the actual ip of the user. Thank you.

    Reply
  • 2013/10/14 at 3:01 am
    Permalink

    Does the “10 Easy Steps” approach to using firefox address java script vulnerabilities?

    Reply
  • 2013/11/21 at 1:54 pm
    Permalink

    Ok so a few questions I use orweb to make sure that I’m connected to tor and FireFox to browse the web well my ip on FireFox ip says its something other then orweb is it still safe and one more thing how safe am I downloading files thru FireFox I’m not rooted don’t know if I will b for some time

    Reply
    • 2013/11/25 at 8:10 am
      Permalink

      Hi Jay! No, your current setup probably isn’t safe. By default Orbot+Orweb doesn’t route all internet through Tor, only Orweb is using Tor. To send Firefox through Tor also, you need to install the mobile proxy addon. Visit this page to find the instructions and the download link: https://guardianproject.info/apps/proxymob/

      Remember, you can go to https://check.torproject.org to see if you’re correctly connected to Tor in firefox.

      Reply
    • 2013/12/13 at 10:53 am
      Permalink

      We were attempting to fix a bug with Android 4.4, that has made proxy setup not work. However, it was not widely successful, only on some devices.

      We are moving towards a new major update with Firefox/Mozilla Gecko as the base, which will fix all the leaks issues, and add a number of improvements on other fronts as well. The only downside is that the app will be 20-30M in size. We should have an alpha release out shortly.

      Reply
  • 2013/12/11 at 3:16 am
    Permalink

    Is Orweb based on Firefox, Android ASOP browser, or some other browser?

    Reply
    • 2013/12/11 at 11:15 am
      Permalink

      Orweb is based on the built-in Android WebView, and therefore inherits all its limitations. We’ve recently decided that those limitations are too restricting, and Google is moving to its ChromeView anyway, so we have started working on Orfox, a privacy browser based on mobile Firefox.

      Reply
    • 2013/12/13 at 10:51 am
      Permalink

      It is based on Android AOSP browser “WebView” component for now. We are moving to Firefox Gecko base shortly.

      Reply
  • 2014/01/13 at 11:07 pm
    Permalink

    My IP is only concealed if I use my phone’s data plan. If I am connected to WiFi, it will show that address.

    Reply
  • 2014/05/04 at 6:26 pm
    Permalink

    Any news?
    Whats the best option,orweb,orfox or firefox + addon?

    Reply
  • 2014/08/23 at 6:57 am
    Permalink

    The latest Firefox v31.0 on Android 4.4 leaks the traffic, even with the proxy mobile (v0.0.10) pointing to a TOR proxy.
    This doesn’t matter if the TOR proxy is local (Orb on android) or on a remote machine (Tor on a PC). The leakage happens on the tablet itself.

    The leakage is web site specific. For example, a very unobnoxious web site http://www.whatisb-12.com always leaks. Many ad links leak through.

    Testing the same scenario with a desktop Firefox does not leak.

    You can test this by simply watching your router’s web site visit logs while doing the browsing.

    Don’t know how long the leaks have been going on. Searching reports on such a problem yield nothing. It’s been unnoticed for too long.

    It seems the problem is Firefox android.

    Reply
  • 2014/08/23 at 7:52 am
    Permalink

    Just want to follow up to add more details of the setup:

    Nexus 7: android 4.4.4
    Firefox: v35.0 (the latest)
    Proxy Mobile: 0.0.10, from theguardianproject
    Proxy setting: SOCKS5 only to local:9050 or :9050
    DNS: go through socks, enabled

    Leakage occurs on many but not all web sites. The web sites do not seem to have usually content e.g. videos.

    When using desktop firefox ESR, SOCKS proxy to the same tor, no leakage.

    Reply
  • 2014/10/12 at 11:33 pm
    Permalink

    The user agent displayed by http://ip-check.info can be changed from Settings -> User Agent to TorBrowserBundle to be the most generic, however I did noticed at times that the user agent may disclose the device name right when you start Orweb the first time after installation/update.
    The bigger issue is the media tags issue though.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>