Thanks Meter 2
Join Date: May 2009
Location: Southern Germany
[real ip disclosure] Security warning: Orweb Tor Browser
The Orweb Tor Browser from the Guardianproject has a really serious security flaw. The actual ip of an user can be determined by using HTML5 video or audio elements, despite the user is connected via the TOR connection.
The problem is the underlying WebView component which doesn't handle proxy settings correctly. There's also a blog post
from August 21st, 2013 on this problem. Nevertheless, the browser with over 1 million installations is still available in the PlayStore and might be widely used. The developers offer an alternative solution with the Firefox Addon proxy mobile
that isn't affected by this bug.
More details are available at Why you really shouldn't use Orweb anymore
Quick-Check (to be accessed from Orweb): http://xordern.net/checkip
The ip leakage can be reproduced with at least Android 2.3.5, Android 4.1.2 and Android 4.3.