Skip to content

TTP-02-007 WP1: Missing about: pages in shouldShowTorConnect check (Info)

Description:

It was discovered that the about:welcome, about:privatebrowsing, and about:home pages are not redirecting to about:tor when they are accessed by a user who has not connected to Tor yet.

While this behavior does not present any immediate security risk, it can potentially cause confusion or alarm users who may access these pages before being connected to the Tor network. To ensure consistency across all about: pages, it is recommended to deploy relevant changes.

Affected file:

browser/base/content/utilityOverlay.js

Affected code:

if (TorConnect.shouldShowTorConnect) {
  if (
    url === "about:tor" ||
   (url === "about:newtab" &&
   Services.prefs.getBoolPref("browser.newtabpage.enabled", false))
  ) {
    url = TorConnect.getRedirectURL(url) ;
  }
}

In order to reproduce this issue, simply open the Tor Browser, access about:home and note that the page does not perform an automated redirection to about:tor.

To mitigate the problem, Cure53 advises including additional checks to validate whether the URL matches about:welcome, about:privatebrowsing or about:home. If a match is found, the page should be redirected to about:tor.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information