[tor-bugs] #26252 [Applications/Tor Browser]: Orfox leaks actual IP address when downloading

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 31 17:54:01 UTC 2018


#26252: Orfox leaks actual IP address when downloading
--------------------------------------+-----------------------------------
 Reporter:  Chai T. Rex               |          Owner:  n8fr8
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by gk):

 Replying to [comment:5 Chai T. Rex]:
 > It was definitely my real home cable Internet address. Now it's showing
 my real Starbucks IP address. I checked what my non-Tor IP address was at
 both locations in the Chrome browser on my laptop on the same WiFi
 connection as my Android phone without using a proxy server by
 [https://www.google.com/search?q=what+is+my+ip+address searching Google
 for `what is my ip address`]. It matched the real IP address revealed by
 xordern's extended check after the file download step on that page in
 Orfox.
 >
 > Perhaps the version on the Google Play Store is buggy. Or perhaps it's
 using something buggy on my ZTE N817 phone using Android 4.4.4, kernel
 `3.4.0-gaa480ec (wangyd at ztesuper25) (gcc version 4.7 (GCC) ) #1 SMP
 PREEMPT Wed Feb 28 15:38:36 CST 2018` `zte-kernel at Zdroid-SMT`, SW version
 `N817V1.0.0B16`.

 With a clean Orfox session I can't reproduce this proxy bypass. However,
 here is what you might have done:

 1) Tried to open the file with the video player: that leaks your IP
 address on the website
 2) Tried to download the video file over Orfox *after* you did 1).
 Interestingly in this case it is still showing my real IP address. This
 could be a bug in the website or it could be indeed a proxy bypass, I have
 not checked.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26252#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list