Bug #1640

Orweb flash vulnerability

Added by Anonymous over 4 years ago. Updated over 4 years ago.

Status:In ProgressStart date:07/24/2013
Priority:ImmediateDue date:
Assignee:n8fr8% Done:

0%

Category:-
Target version:-
Component:

Description

I just downloaded Orbot and Orweb via the Playstore with Android.

As I visited http://ip-check.info , a web page, which is testing anonymizer-techniques, the page found out my real IP via the flash plugin.

The Tor Browser Bundle deactivates the flash plugin by default.

Work around: Deinstall flash. Maybe this is also helpful, but I think this could not be working on Android:
https://anonymous-proxy-servers.net/en/help/flash-applets.html

Because "Adobe Flash Player 11" has 100.000.000+, I set the priority to immediate. I think it's easy to build a little flash app, which is logging the real ip.

I would suggest, that you remove the line "RESISTANT TO FLASH VULNERABILITIES: Orweb attempts to prevent Flash from loading on sites you visit, blocking many common security threats." from your Orweb page.

Best regards,
me

History

#1 Updated by n8fr8 over 4 years ago

  • Status changed from New to In Progress
  • Assignee set to n8fr8

Looking into following options:

1) Detecting flash is installed on the device, and warning user

2) New APIs or custom APIs for ensuring Flash is disabled on ALL browser/device flavors

Also available in: Atom PDF