Bug #6741

Another Android app could invisibly make Orfox transmit in clearweb without user knowing

Added by Anonymous almost 2 years ago. Updated almost 2 years ago.

Status:NewStart date:03/03/2016
Priority:ImmediateDue date:
Assignee:amoghbl1% Done:


Target version:Orfox RC


1. Run a process on the phone that binds a SOCKS5 proxy to on your android client. (I just cross-compiled https://github.com/physacco/socks5 since it was quick, but any Android app with internet permissions can do this, hence the security issue).
2. Start Orfox and go to check.torproject.org
3. Orbot will be auto-started, fail to bind on 9050, and bind to an alternative port. It will then return back a successful start indicator to Orfox.
4. Since Orfox doesn't know that Orbot had to change ports, it'll send the request to my malicious SOCKS proxy and I'll pass it through in the clear.
5. You see "Sorry. You are not using Tor."


#1 Updated by n8fr8 almost 2 years ago

  • Assignee set to amoghbl1
  • Target version set to Orfox RC

Thanks for the report. At the least, the check page fails in this basic form of the attack, however the attack could also route the first few requests over Tor, and then turn it off for the rest.

As Hans said, we have some new Intent based port lookups that Orbot supports now, but not Orfox yet.

As an additional improvement, we are looking at using a constant status check in the Orfox UI via the new Tor Check API.

Also available in: Atom PDF