https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).
To fix this dns leak/security hole, follow these steps:
Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.
See Tor bug 5741 for more details.
(https://bugs.torproject.org/5741)
We are currently working on new bundles with a better fix."
On May 2nd, 2012 Anonymous said:
Oh dear :(
Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?
On May 2nd, 2012 Anonymous said:
On May 2nd, 2012 Anonymous said:
On May 2nd, 2012 Anonymous said:
On May 2nd, 2012 Anonymous said:
On May 2nd, 2012 Anonymous said:
THE DRAMA CONTINUES…
TBB proxy bypass: Some DNS requests not going through Tor
Ticket #5741 (closed defect: fixed)
https://trac.torproject.org/projects/tor/ticket/5741
by mikeperry
Good catch Robert. Disabling about:config pref network.websocket.enabled prevents it from happening for me… I'm now grepping through the Firefox WebSocket code looking for the issue…
by mikeperry
This is fixed and pushed to all TBB branches. I fixed it by blocking all DNS requests while socks_remote_dns is enabled, so we don't end up with this showing up in new components in the future.
Additional Reference:
[tor-talk] Firefox security bug (proxy-bypass) in current TBBs
Robert Ransom rransom.8774 at gmail.com
Wed May 2 22:43:52 UTC 2012
See https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
for the security advisory.
Robert Ransom
Another version of TBB, another bug. IMO, they should mark all releases of TBB as ALPHA!
At the time of this bug report collection and passing the news onto others, there have not been any new release of TBB versions to fix this bug on their download pages, but it'll come.