OnionBrowser icon indicating copy to clipboard operation
OnionBrowser copied to clipboard

Published 20 hours ago verified publisher icon OnionBrowser

Media Files Being Routed Though Tor?

Open jeffjacobs69 opened this issue 2 years ago • 5 comments

Hello,

Like another user has experienced even with VPN enabled, WebRTC was able to leak my real IP address along with my VPN IP address. https://github.com/OnionBrowser/OnionBrowser/issues/112 https://twitter.com/pwnsdx/status/961413267028619264

This led me to investigate over what IP requests to media files inside of <video> and <audio> tags were using since that is supposed to leak outside of Tor as well. I set up an Apache server run both as a Clearnet and hidden service on my local machine and hosted a simple web page with embedded media with src's to the media files on the Clearnet URL.

<html>
<body>
<h1>TEST SITE</h1>
<video width="640" height="480" src="http://72.xxx.xxx.xxx/video.mp4" controls></video>
<video width="640" height="480" src="http://72.xxx.xxx.xxx/video1.mov" controls></video>
<video width="640" height="480" src="http://72.xxx.xxx.xxx/video2.webm" controls></video>
<video width="640" height="480" src="http://72.xxx.xxx.xxx/video3.ogg" controls></video>
<video width="640" height="480" src="http://72.xxx.xxx.xxx/video4.wmv" controls></video>
<video width="640" height="480" src="http://72.xxx.xxx.xxx/video5.avi" controls></video>
<audio src="http://72.xxx.xxx.xxx/audio.mp3" controls></audio>
</body>
</html>

Reviewing the Apache logs, I would expect to see either my real IP or the IP of my VPN for the requests to these media files, but instead what I see is the IP of Tor Exit Nodes, suggesting this traffic to media files is being routed through Tor.

Screenshot 2022-06-05 214202

I am very confused. Did I not set my test environment up correctly? What led to the conclusion that this traffic was routed outside of Tor in the first place? https://github.com/OnionBrowser/OnionBrowser/wiki/Traffic-that-leaks-outside-of-Tor-due-to-iOS-limitations

Thanks,

*Edit I can confirm that I was also able to straight up stream an mp4 video embedded in the site through .onion Tor. It would be impossible to do this if it were making media requests outside of Tor correct? What am I missing here?

Screenshot 2022-06-05 221308

jeffjacobs69 avatar Jun 06 '22 02:06 jeffjacobs69

Interesting. What device and OS version do you use?

Well, we try to catch as much traffic as possible from inside the UIWebView. However, AFAIR, <video> and <audio> tags were handled by a media handler component, which was out of process and didn't honour our rerouting.

Apple could have changed that silently. Maybe even due to some security issue. Who knows.

Regarding the VPN: That's strange. No idea why you leak your real address and not the VPN one.

To be honest: I'm not too keen on diving deep into issues like these anymore. We're currently working towards an Onion Browser 3, which moves away from the deprecated UIWebView and will be based on the newer WKWebView and a Network Extension.

This should be much safer. But might also have the option for a whole new bunch of security issues. :-)

tladesignz avatar Jun 08 '22 12:06 tladesignz

Interesting. What device and OS version do you use?

iPhone XS Max IOS 15.5

Was media tested before to not have been routed through Tor?

jeffjacobs69 avatar Jun 08 '22 13:06 jeffjacobs69

Was media tested before to not have been routed through Tor?

I think so, yes. That was before my time. @mtigas has more insight there.

tladesignz avatar Jun 09 '22 12:06 tladesignz

Correct. Our present knowledge is that multimedia via <audio> and <video> tags (or basically anything doing traffic via the native media player) would bypass Tor. Here's a very old comment that describes the situation: https://github.com/OnionBrowser/OnionBrowser/issues/30#issuecomment-21728543

Essentially, we use a NSURLProtocol handler that overrides HTTP+HTTPS and forcibly proxies that traffic. Even as recently as a couple years ago (last I checked), the iOS native media player (even inside Webkit) was ignoring that protocol configuration.

We probably need some more research into this, but like @tladesignz, I think there's a chance that Apple might have quietly changed/fixed this without documenting it.

mtigas avatar Jun 09 '22 16:06 mtigas

Am I right in my assumption that they would have had to have changed it if video is able to play from a .onion source? This would be impossible if it used a clear web connection.

Do you know why WebRTC leaks real IP address even while using a VPN as well? Using VPN with regular Safari, WebRTC only leaks the VPN IP suggesting something specific to Onion Browser.

jeffjacobs69 avatar Jun 09 '22 17:06 jeffjacobs69

Sorry, forgot to answer this. Unfortunately: no. No idea. And since, as explained, we're moving away to WKWebView and NetworkExtension, there's no good reason to spend time to investigate.

So I will close this. Sorry for not having a better answer and thanks a lot for bringing this to our attention!

tladesignz avatar Sep 29 '22 11:09 tladesignz