Frozen/hidden tabs in tor browser -- hacked?

User Support
7

Hi. I’ve watched the video. I’ll only comment about the parts relating to Qubes, but here are my two cents. Two cents:

  1. it was probably a bug and not a hack
  2. even if whonix-ws-dvm gets hacked it’s OK! Qubes does not claim protection within individual VMs
  3. No system can protect you if you don’t update it

#1 it was probably a bug and not a hack

I’ve seen this one before. It’s unfortunate that the system isn’t 100% free of bugs. If that were the case, any deviation from expected behavior would obviously be an attempted hack.

I can’t find the issue page, but this is a known bug. Basically you must have clicked some video or something that made the browser become fullscreen but Qubes did not make it full screen. To fix this you should click F11.

#2 Qubes is still protecting you

Even if it were to be hack, it Qubes would still be doing it’s job by protecting your other qubes. Qubes makes no claims of in-vm protections.

They actually assume an OS like Linux and Browsers is guaranteed have a large number of security vulnerabilities due to large attack surface and complexity.

For example, from the Qubes FAQ:

For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk

And you’re using a disposable qube. All you have to do is to close it and open a new one (assuming that was an anonymous session and you had not logged in to any service – if you had, you would need to assume those accounts having been possibly compromised)

3. Keep the system up to date

With pending updates, there is no system that can secure. Once a security update is out, it’s a race for attackers to use those known flaws to exploit your system…

To fix this, always keep the system up to date:

  • Fixing Pending System Updates 1. - When the system has updates available, run them at the very least once a day in your situation. This is done via the Qubes Update tool

  • Fixing Outdate Templates (2. and 3.) - this may not be entirely your fault. Qubes sometimes ship with outdated templates. This is because it’s has its own release schedule. See this for more info. The solution is to keep an eye out on the Qubes news section for posts like this or this or better yet, subscribe with your email to the qubes-announce newsletter, where you’ll be directly informed of these end-of-life notices

  • Tor Browser updates (4.) - You have to use the Tor Browser Downloader application when you see an update and not update via the internal “update available” notification within Tor browser.

    The fact that it needs an external application (in whonix) or updates via itself is is a really really sad usability issue. A long issue the Tor Browser developers have failed to address.

Final comments

The “being complicated” is an issue everyone here is aware of and is something being worked on, for example via the upcoming application menu and an intergrated onboarding-tutorial, I’m working on as well as other community initiatives. It’s understandable if the burden of Qubes is too big for your workflow or consumes too much time.

However, the issue you’ve demonstrated is not a breach of Qubes

9 Likes