[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #26529 [Applications/Tor Browser]: TBA - Notify user about possible proxy-bypass before opening external app



#26529: TBA - Notify user about possible proxy-bypass before opening external app
-------------------------------------------------+-------------------------
 Reporter:  sysrqb                               |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, tbb-torbutton, tbb-      |  Actual Points:
  proxy-bypass, TBA-a3, tbb-8.5, tbb-parity,     |
  TorBrowserTeam201904                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor8
-------------------------------------------------+-------------------------
Changes (by mikeperry):

 * keywords:
     tbb-mobile, tbb-torbutton, TBA-a3, tbb-8.5, tbb-parity,
     TorBrowserTeam201904
     =>
     tbb-mobile, tbb-torbutton, tbb-proxy-bypass, TBA-a3, tbb-8.5, tbb-
     parity, TorBrowserTeam201904


Comment:

 In
 mobile/android/base/java/org/mozilla/gecko/notifications/NotificationHelper.java,
 we might be able to intercept that intent launcher.

 I also think that this should be tagged as tbb-proxy-bypass, because if
 you look at that code, it appears that external apps can be launched
 without *any* interaction. That is equivalent to TBA itself leaking, IMO.
 There is literally nothing the user can do to stop a malicious website
 from exploiting that.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26529#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs