[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Fwd: [guardian-dev] Orweb Security Advisory: Possible IP leakage with HTML5 video/audio



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




- -------- Original Message --------
Subject: [guardian-dev] Orweb Security Advisory: Possible IP leakage
with HTML5 video/audio
Date: Wed, 21 Aug 2013 16:17:23 -0400
From: Nathan of Guardian <nathan@xxxxxxxxxxxxxxxxxxxx>
To: Guardian Dev <guardian-dev@xxxxxxxxxxxxxxxxxx>


https://guardianproject.info/2013/08/21/orweb-security-advisory-possible-ip-leakage-with-html5-videoaudio/

The Orweb browser app is vulnerable to leak the actual IP of the
device it is on, if it loads a page with HTML5 video or audio tags on
them, and those tags are set to auto-start or display a poster frame.
On some versions of Android, the video and audio player start/load
events happen without the user requesting anything, and the request to
the URL for the media src or through image poster is made outside of
the proxy settings.

The Android WebView component upon which Orweb is built, does not pass
on the proxy settings for the web page to embedded media players it
displays. Additionally, even though the proper API calls are made to
turn off all plugins, apparently HTML5 video and audio players not
considered plugins, and there is no way to disable them at an API level.

We are currently working to determine which versions of Android these
issues occur on. We have a fix implemented that filters all video and
audio tag instances out of retrieved content, and on newer versions of
Android, that requires a user gesture/tap before media players are loaded.

We expect to have a fix out in the next 24 to 48 hours. In the
meantime, if you are using Orweb with the goal of strong anonymity,
and not just circumvention or proxying, we advise you to avoid all
sites that may include HTML5 video or audio content embedded in the
pages, or to just stop using the app all together. Alternatively, you
can use Firefox for Android with the Proxy Mobile add-on (load this
XPI within Firefox:
https://guardianproject.info/releases/proxymob-latest.xpi)

This does NOT affect users who use the root mode with transparent
proxying, as that handles proxying the entire traffic of the entire
device or a particular app.
_______________________________________________
Guardian-dev mailing list

Post: Guardian-dev@xxxxxxxxxxxxxxxxxx
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  Guardian-dev-unsubscribe@xxxxxxxxxxxxxxxxxx
        Or visit:
https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info

You are subscribed as: nathan@xxxxxxxxxxxxxxxxxxxx


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSFSCTAAoJEKgBGD5ps3qpr3UP/Rxoi+uGsw2U/jqK2lv532Ur
EVjS0UuhA2sAQ9e+HOpmgpHs8cEZv80q5heHbOcNfqAsUm/p6O6dwHtWhdJTQt7z
XyfBDr6pKuEY6mTZgiX+A3iDOC5qI3iVTDb37i4CbED2JGcZy22AxJCpUmyiU+5R
8ilFWqwmTimNivRo2KTOss4K2JkrNsX7Vvg5z/vy21dhMBeOhyf6k1NcICVktiL4
Vi46qZ9fC3s9e2RFhn5CYTkYH2jXn45+ayExIByWJF6yPlj6MYcifdYoyiXTHbCc
twy9tq0XIe9BAX5Jqvh1uW7lNyhJcJgc6lVw4DDNKVBiJFS4TYM4+fr95ca2bkft
dJfY4Qr+uQBTcEOn1CtNqs610sXICXCzFdvn5KlwCQL79M81CjWDtie7SBtgW9xN
qVn41u/QM2Flhr6VkMDkE00ujLFiSNaPFA7Rt4Il1GIOMV/St7SeGmNCbz89LdTF
e6KBfP8V29OjiIGIDqQFSukVzJEMrFrHIgfrMNLgxUV77pmIjrOwCLFEJNac7zuQ
a1i5hC/dI5ip0zG8QvsVfKZg8Jd6kT6cTJBlfe4ImI1GuPA6vm/rlW6Sy44S/rhP
c8kfX78nr3I3gzjPaK4oJuQy3+0/KKWxiAgQjTyt8iG1h6BidVsBxoHoWdxhenLP
0pZNZp1Hfi07VQp9bsdV
=4HWT
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk