[tor-dev] Security issue

tortestprivacy tortestprivacy tortestprivacy at ro.ru
Mon Jan 20 22:54:02 UTC 2014


I found a security issue in Tor.
With Tor Browser Bundle default settings any web-site can access to local resources by JavaScript and XMLHttpRequest.
For example ANY web-site can scan local ports sending a requests to and see what port is opened.
For example:, and any other ports.
If some application listen some port it will be able to accept connections and responce to them. If it will be a local web-server any web-site that you visit can view html-pages on it even if all external incoming connections from Internet to this port are disabled by system firewall and only local connections from are allowed.

The decision is turn on ABE (Application Boundaries Enforcer) by default in NoScript Add-On. Now it's disabled by default.
After this any web-site can't get access to by JavaScript and XMLHttpRequest.

This rule will be added in NoScript by default if you turn on ABE:
# Prevent Internet sites from requesting LAN resources.
Accept from LOCAL

If you have default settings of Tor Browser Bundle, ABE is not turned on.
If so you can test what ports are opened on your computer for example here: http://tortestprivacy.url.ph/


More information about the tor-dev mailing list