possible ip leak

[xxjoe2]

Preliminary checklist

• I have read the README.
• I have searched the existing issues for my problem. This is a new ticket, NOT a duplicate or related to another open issue.
• I have read the FAQs.
• I have updated Bromite to the latest version. The bug is reproducible on this latest version.
• This is a bug report about the Bromite browser (not about the website, building Bromite, F-Droid or anything else).

Can the bug be reproduced with corresponding Chromium version?

No

Bromite version

108.0.5359.156

Device architecture

arm64

Android version

12.1

Device model

samsung tab s6

Changed flags

no flags changed

Is this bug about the SystemWebView?

No

Is this bug happening in an incognito tab?

Yes

Is this bug caused by the adblocker?

No

Is this bug a crash?

no

Describe the bug

possible real ip leaks, connected to the internet via proxy server

tested with:

1. bromite (screenshots below)
   tab 1 - https://browserleaks.com/ip (no leak)
   tab 2 - https://iplocation.io/ (leaked)

2. official firefox (leaked, known for webrtc ip leak on android)

3. kiwi browser with all extension off (no leak)

Steps to reproduce the bug

goto https://iplocation.io/ and real ip shown (including incognito mode)

Expected behavior

not leaking real ip

Screenshots

tab 1, bromite, https://browserleaks.com/ip, no ip leaked

tab 2, bromite, https://iplocation.io/, ip leaked

[xxjoe2]

more background info and investigations

background:

• actually i have some https proxies set in the proxy settings in bromite with certain bypass rules, and bromite connects to the internet via upstream proxies
• during the tests, bromite was connected in incognito mode via:
  a) those https proxies, and
  b) via those https proxies via upstrem socks proxies

investigations:

• i have performed some tests to check the leaks, and below are my findings which will leak your ip

1. without any proxy set in bromite, including incognito mode
2. put *.* in the bypass rules

hope this helps

[uazo]

without any proxy set in bromite, including incognito mode

and so it is correct that the real IP is shown, there is no proxy between you and the internet

put . in the bypass rules

remind me what that instruction is supposed to do?

[xxjoe2]

without any proxy set in bromite, including incognito mode

and so it is correct that the real IP is shown, there is no proxy between you and the internet

put . in the bypass rules

remind me what that instruction is supposed to do?

well, let me rephrase it

first, bromite should blocks webrtc. am i correct? although this should not be webrtc related

second, it was connected via socks proxy server (not http/https), so it should not reveal your ip, right

finally, i had 2 tabs connected, but only one tab (iplocation
io) revealed my real ip address. this is weird

for *.*, i just put it there for bypassing all temporarily without the need to edit the rules again

[uazo]

just tried using https://github.com/jgaa/shinysocks
I don't detect any problems. if SOCKS is set in the 'Use a single proxy list for all schemes' rule, the ip shown is always that of the proxy

[xxjoe2]

i have set some https proxies in "use a single proxy list for all". you may guess it's the x-fordwarding issue by the https servers, but why only iplocation.io leaks my ip? i have tested several times with both iplocation.io and browserleaks.com, plus a few others, and only iplocation.io failed to hide my ip

second, i have also included those domain in the exclude list, in the form of:
onion;check.torproject.org;browserleaks.com;iplocation.com;iplocation.io;ip2location.com;
it was (*.domain before, just for testing)
so they should bypass all those https proxies (however i find the bypass rules did not applied in certain circumstances). but if i emptied the bypassing rules, everything is fine, no leaks. even on iplication.io shows the https proxy ip address

third, all traffic from bromite will be forwarded to socks5 proxies ultimately. ie, bromite -> https proxies (if not excluded) -> socks5 proxies

i have checked my headers received from https://manytools.org/http-html-text/http-request-headers/, the real ip is the proxy ip too

so why iplocation.io can read my ip?

also, didi you see your ip there?

[giantplaceholder]

Just an idea, but this might be a proxy configuration at work. By default, many proxy servers use X-Forwarded-For header to identify the origin IP. This might be helpful in various situations, but this also may be why you're seeing your origin IP.

You're stating that you're connecting to one of the proxies via HTTP, even though some of them use another upstream SOCKS proxies. This, actually, might be enough to keep the header in the request.

[xxjoe2]

you are right, but i have checked via manytools.org i mentioned above, the x forwarder there always show the proxy ip address

as to illustrate the problem encounted clearly, i have set to bypass all domains involved in the screenshot below, where i opened 3 bromite windows connected to a single upstream socks5 proxy x.x.40.168, ie no http proxy involved

the image is a bit large or otherwise the text cant be shown clearly