[tbb-bugs] #26529 [Applications/Tor Browser]: TBA - Notify user about possible proxy-bypass before opening external app
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 2 20:38:31 UTC 2019
#26529: TBA - Notify user about possible proxy-bypass before opening external app
-------------------------------------------------+-------------------------
Reporter: sysrqb | Owner: tbb-
| team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile, tbb-torbutton, tbb- | Actual Points:
proxy-bypass, TBA-a3, tbb-8.5, tbb-parity, |
TorBrowserTeam201904 |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor8
-------------------------------------------------+-------------------------
Changes (by mikeperry):
* keywords:
tbb-mobile, tbb-torbutton, TBA-a3, tbb-8.5, tbb-parity,
TorBrowserTeam201904
=>
tbb-mobile, tbb-torbutton, tbb-proxy-bypass, TBA-a3, tbb-8.5, tbb-
parity, TorBrowserTeam201904
Comment:
In
mobile/android/base/java/org/mozilla/gecko/notifications/NotificationHelper.java,
we might be able to intercept that intent launcher.
I also think that this should be tagged as tbb-proxy-bypass, because if
you look at that code, it appears that external apps can be launched
without *any* interaction. That is equivalent to TBA itself leaking, IMO.
There is literally nothing the user can do to stop a malicious website
from exploiting that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26529#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list