Bug #1640
Orweb flash vulnerability
| Status: | In Progress | Start date: | 07/24/2013 | |
|---|---|---|---|---|
| Priority: | Immediate | Due date: | ||
| Assignee: | n8fr8 | % Done: | 0% | |
| Category: | - | |||
| Target version: | - | |||
| Component: |
Description
I just downloaded Orbot and Orweb via the Playstore with Android.
As I visited http://ip-check.info , a web page, which is testing anonymizer-techniques, the page found out my real IP via the flash plugin.
The Tor Browser Bundle deactivates the flash plugin by default.
Work around: Deinstall flash. Maybe this is also helpful, but I think this could not be working on Android:
https://anonymous-proxy-servers.net/en/help/flash-applets.html
Because "Adobe Flash Player 11" has 100.000.000+, I set the priority to immediate. I think it's easy to build a little flash app, which is logging the real ip.
I would suggest, that you remove the line "RESISTANT TO FLASH VULNERABILITIES: Orweb attempts to prevent Flash from loading on sites you visit, blocking many common security threats." from your Orweb page.
Best regards,
me
History
#1 Updated by n8fr8 over 4 years ago
- Status changed from New to In Progress
- Assignee set to n8fr8
Looking into following options:
1) Detecting flash is installed on the device, and warning user
2) New APIs or custom APIs for ensuring Flash is disabled on ALL browser/device flavors