Exclamation [real ip disclosure] Security warning: Orweb Tor Browser

The Orweb Tor Browser from the Guardianproject has a really serious security flaw. The actual ip of an user can be determined by using HTML5 video or audio elements, despite the user is connected via the TOR connection.



The problem is the underlying WebView component which doesn't handle proxy settings correctly. There's also a blog post from August 21st, 2013 on this problem. Nevertheless, the browser with over 1 million installations is still available in the PlayStore and might be widely used. The developers offer an alternative solution with the Firefox Addon proxy mobile that isn't affected by this bug.

More details are available at Why you really shouldn't use Orweb anymore.
Quick-Check (to be accessed from Orweb): http://xordern.net/checkip

The ip leakage can be reproduced with at least Android 2.3.5, Android 4.1.2 and Android 4.3.