Zen browser had a backdoor enabled by default (opens in new tab)

(github.com)

46 pointsnobunaga1y ago31 comments

31 comments

21 comments · 15 top-level

jofzar1y ago· 3 in thread

I'm a little bit confused here. You are saying they are not responding appropriately but this was raised as an issue and merged the same day?

Retr0id1y ago

The developer response indicates that they were flipping security-sensitive configs based on vibes alone.

While the fix was merged promptly in this instance, they don't appear to have undertaken any kind of systematic reform.

SG-1y ago

but it got fixed. this is a free project, people like yourself are honestly a cancer to these projects and developers.

2 more replies

ckolkey1y ago

...seven months ago, no less

nobunagaOP1y ago· 1 in thread

I think it’s important to raise issues with project maintainers directly before publicizing issues and that’s been the case here however the devs are not really responding appropriately or showing a massive lack of incompetence.

For those not aware, Zen browser markets itself as privacy conscious browser however a serious backdoor has been found and multiple topics regarding its lack of privacy has been practically ignored.

It think it’s important to raise awareness of this as the browser is gaining popularity and it’s clear the devs lack the experience to secure the browser.

Edit Other github issues with lack of interest from devs https://github.com/zen-browser/desktop/discussions/5907#disc... https://github.com/zen-browser/desktop/issues/5947

isidor31y ago

I do think it's important to raise issues like this, but I personally hope that it means people put more careful eyes on it and pitch in patches so the project succeeds rather than people avoiding it.

(totally unbiased opinion from having just switched to it after apparently not enough research and not wanting to continue the browser hunt)

ramon1561y ago· 1 in thread

Can anyone talk some confidence about the project altogether? When it was first on HN I skimmed through the repo's and just wasn't convinced this was a very good project to begin with.

How secure is the actual browser for example?

akimbostrawman1y ago

why use some new niche reskin hobby browser which can't even do the very basic thing of copying one of the user.js privacy improvement projects when actual competent alternatives like mullvad browser or librewolf exist.

ahofmann1y ago· 1 in thread

“security problems are just bugs” - Linus Torvalds

And he is 100% right on this. The whole thread, or even that it got posted here on in shows the problem. It was just a bug. The maintainer fixed it. Open source works. It makes no sense to throw the whole project under the bus, just because one maintainer made a mistake, that happened to he a security problem. The last day this project closed 12 issues. Why is one issue, that was closed 7 months ago, such a problem, that we discuss this here? This is FUD against the project.

nobunagaOP1y ago

[flagged]

Alifatisk1y ago

Is it worth adding (2024) to the title? That "backdoor" (remote debugging) was an issue dated 24 aug 2024. https://github.com/zen-browser/desktop/pull/927

Current title made it seem like it's an active issue, when clicking on the link it leads to a discussion forum about "Telemtry and privacy issues", so even the title and the link does not match.

sakisv1y ago

Starting a bit of a tangent here I admit, but this makes me much more worried about the future of mobile browsing.

Sure, soon enough a decent non-chromium based desktop browser will come along, be it Zen or something else, but what about the mobile world?

Right now firefox is perfect for me: It makes the web browsable by allowing ublock origin, it syncs my tabs, history and bookmarks, it's great.

Moving to a scenario that we have a different browser on the desktop and a different one on the phone or, worse, the same on the phone but without adblocking sounds like a huge regression.

P.S. Regarding Zen: If you want to be taken seriously, or at least as something more than a toy project, teaching your maintainers how to talk to your (potential) users will go a long way. Telling them off will not gain you any friends. (I'm referring to the github discussion mentioned in a sibling comment: https://github.com/zen-browser/desktop/discussions/5907)

Barrin921y ago

>I thought it just allowede easier debugging, sorry

When Zen browser was posted here first I saw that the people behind it mostly seemed to be uni students in their early 20s so on their side I'd cut them some slack for inexperience but on the other hand it's why I'd never recommend anyone to run a browser fork like this, you might as well start buying birth control off Craigslist.

Lots of people recommending "forks of forks of forks" browsers and also linux distros these days largely maintained like this, but from a security standpoint it's kind of crazy.

plain1y ago

The repo owner is in damage control mode. He just renamed the title and commented on a 7 month old PR, now admitting it was a toy project back then. He claims it was "NOT because of un-experience" and that, 7 months after the fix, they "now provide the most private and secure experience". It doesn't seem convincing to me, but very comical.

dimava1y ago

@dang could you please update the title to

> Zen Browser has Remote Debugger enabled by default (2024)

to reduce confusion (as issue title was updated)

> It was enabled due that zen was still a toy project and we needed people to easily open the debugger for easier bug fixing. This was due because zen was not in a daily drivable state and didn't gain any sort of popularity yet.

sevg1y ago

If anyone is looking to stick with Firefox-based browsing, I’d recommend vanilla Firefox with arkenfox/user.js [0] and uBlock Origin.

[0]: https://github.com/arkenfox/user.js

account-51y ago

This has definitely put me off using zen. I was actively testing it as a replacement for Firefox, but at least Firefox is upfront about what it's doing, and you can disable it (something not so easily done in any other browser, afaiu).

jackstraw421y ago

I've probably had Zen Browser uninstalled from my system for about a year, and I just checked my AppData folder, found a 'zen' folder which eventually became 'zen-browser', and 2300+ files still sitting in my AppData/Roaming folder. maybe it's leftover stuff from extensions I installed but.... I probably just forgot to check the "delete all user profiles and settings" box, but who knows.

Going to do a pretty thorough tidying-up of my PC after this. thanks for posting, OP.

Yoric1y ago

This issue doesn't seem to talk about a backdoor at all.

There was apparently another issue that could be described as a backdoor, and afaict this issue was fixed.

Now, if you are concerned about the privacy of Telemetry, that's an entirely valid concern. But we're techies, can we please at least use the right vocabulary?

tummler1y ago

Can it just be forked into a branch with telemetry removed/disabled?

scarfaceneo1y ago

Yelp, back to librewolf it is.

j / k navigate · click thread line to collapse