-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -------- Original Message -------- Subject: [guardian-dev] Orweb Security Advisory: Possible IP leakage with HTML5 video/audio Date: Wed, 21 Aug 2013 16:17:23 -0400 From: Nathan of Guardian <[email protected]> To: Guardian Dev <[email protected]> https://guardianproject.info/2013/08/21/orweb-security-advisory-possible-ip-leakage-with-html5-videoaudio/ The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings. The Android WebView component upon which Orweb is built, does not pass on the proxy settings for the web page to embedded media players it displays. Additionally, even though the proper API calls are made to turn off all plugins, apparently HTML5 video and audio players not considered plugins, and there is no way to disable them at an API level. We are currently working to determine which versions of Android these issues occur on. We have a fix implemented that filters all video and audio tag instances out of retrieved content, and on newer versions of Android, that requires a user gesture/tap before media players are loaded. We expect to have a fix out in the next 24 to 48 hours. In the meantime, if you are using Orweb with the goal of strong anonymity, and not just circumvention or proxying, we advise you to avoid all sites that may include HTML5 video or audio content embedded in the pages, or to just stop using the app all together. Alternatively, you can use Firefox for Android with the Proxy Mobile add-on (load this XPI within Firefox: https://guardianproject.info/releases/proxymob-latest.xpi) This does NOT affect users who use the root mode with transparent proxying, as that handles proxying the entire traffic of the entire device or a particular app. _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info You are subscribed as: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSFSCTAAoJEKgBGD5ps3qpr3UP/Rxoi+uGsw2U/jqK2lv532Ur EVjS0UuhA2sAQ9e+HOpmgpHs8cEZv80q5heHbOcNfqAsUm/p6O6dwHtWhdJTQt7z XyfBDr6pKuEY6mTZgiX+A3iDOC5qI3iVTDb37i4CbED2JGcZy22AxJCpUmyiU+5R 8ilFWqwmTimNivRo2KTOss4K2JkrNsX7Vvg5z/vy21dhMBeOhyf6k1NcICVktiL4 Vi46qZ9fC3s9e2RFhn5CYTkYH2jXn45+ayExIByWJF6yPlj6MYcifdYoyiXTHbCc twy9tq0XIe9BAX5Jqvh1uW7lNyhJcJgc6lVw4DDNKVBiJFS4TYM4+fr95ca2bkft dJfY4Qr+uQBTcEOn1CtNqs610sXICXCzFdvn5KlwCQL79M81CjWDtie7SBtgW9xN qVn41u/QM2Flhr6VkMDkE00ujLFiSNaPFA7Rt4Il1GIOMV/St7SeGmNCbz89LdTF e6KBfP8V29OjiIGIDqQFSukVzJEMrFrHIgfrMNLgxUV77pmIjrOwCLFEJNac7zuQ a1i5hC/dI5ip0zG8QvsVfKZg8Jd6kT6cTJBlfe4ImI1GuPA6vm/rlW6Sy44S/rhP c8kfX78nr3I3gzjPaK4oJuQy3+0/KKWxiAgQjTyt8iG1h6BidVsBxoHoWdxhenLP 0pZNZp1Hfi07VQp9bsdV =4HWT -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
