[tbb-bugs] #25737 [Applications/Tor Browser]: Tor Browser Bundle IP Leak

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Apr 7 22:03:27 UTC 2018


#25737: Tor Browser Bundle IP Leak
------------------------------------------+----------------------
     Reporter:  cypherpunks               |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 I am on macOS, and my current setup involves an isolation proxy, custom pf
 rules, an application firewall and the tor browser bundle (7.5.3).

 The firefox process has only localhost access to the tor.real process.
 The tor.real process has only localhost access to the obf4proxy process.
 The obfs4proxy process can only access the remote IP/port tuple.
 I modified the tbb-torrc adding `UseBridges 1`.

 During the latest (vidalia) startup, my application firewall warned me
 that a process named `xpcproxy` was attempting to directly connect to
 `82.195.75.101/443tcp`.

 Since a reverse dns lookup resolves to `listera.torproject.org`, I believe
 this to be non malicious, but I'd count the behaviour as a potential IP
 leak.

 Firefox should wait for the tor process to be ready and spawn the call
 over a tor circuit; if not, a malicious ISP (eg) has the potential to
 enumerate users.

 I denied the access and restarted the browser, but have not been able to
 reproduce yet. So this is possibly a race condition between firefox and
 vidalia, because of this I am unsure if this should be a tor browser or a
 tor launcher ticket.

 How can I inspect this?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25737>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list