this post was submitted on 22 Mar 2025
297 points (83.8% liked)

Technology

67338 readers
4564 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
297
Zen browser had a backdoor enabled by default (github.com)
submitted 3 days ago* (last edited 3 days ago) by cyrano@lemmy.dbzer0.com to c/technology@lemmy.world
78 comments fedilink hide all child comments
 
top 50 comments
sorted by: hot top controversial new old
[–] priapus@sh.itjust.works 60 points 2 days ago* (last edited 2 days ago) (2 children)

I'm not sure why you linked to this irrelevant 3 week old issue while referring to something that was fixed a year ago. Referring to it as a backdoor also implies that it was malicious, when it was simply incompetence. Have there been any security issues since? (Not trying to imply that not having any would make it safe, just wondering).

Zen is an amateur hobbyist project, expecting it to be something else is silly. It isn't backed by a company, so you take on these risks when you use the project. The same thing goes for all community run browser forks, and unfortunately, using upstream browsers will 100% be more secure. If you don't want to take those risks, just use Firefox (preferably hardened).

Security costs money, open source browser forks generally don't have much of that.

Edit: I'm not trying to shit on this browser, or even say that nobody should use it. Be aware of your attack surface and know what risks you're taking on when using any piece of software. I'm probably still going to play around with Zen, but I probably won't be doing my banking on it.

[–] Wildly_Utilize@infosec.pub 16 points 2 days ago* (last edited 2 days ago) (1 children)

I'd like to take this opportunity to say Mullvad browser is maintained by Mullvad and Tor Project which in my eyes sets it way apart from these hobby forks (including librewolf)

[–] priapus@sh.itjust.works 7 points 2 days ago (1 children)

I agree, Mullvad is the only fork that I have confidence in the security of (ignoring Tor ofc since it's not really for general use).

[–] pastermil@sh.itjust.works 2 points 2 days ago (1 children)

I'll bite: what's wrong with LibreWolf?

[–] priapus@sh.itjust.works 3 points 1 day ago (2 children)

It just lacks manpower unfortunately. Going with a browser that has the funding for a security team is the safer option.

[–] michaelmrose@lemmy.world 1 points 1 day ago (1 children)

Librewolf is firefox with different settings how does it not already benefit from Firefox's security team

[–] priapus@sh.itjust.works 1 points 1 day ago (1 children)

It does, but less than Firefox does. Their lack of manpower means delayed updates to fix zero days compared to Firefox. It also means less eyes on any patches introduced, so I'd be more concerned about malicious code being introduced.

[–] michaelmrose@lemmy.world 1 points 1 day ago (1 children)

Their lack of manpower means delayed updates to fix zero days compared to Firefox

From their site:

LibreWolf is always built from the latest Firefox stable source, for up-to-date security and features along with stability.

As soon as firefox pushes a release, for instance to fix a security vulnerability, librewolf can immediately rebuild It is literally just firefox with different setting. Delay between firefox release and librewolf release should be negligible. You can verify this by noting that 136.0 was offered on the same day.

https://codeberg.org/librewolf/source/commit/2b90daeb5aa5a80443f4f7655393f610fb16418a

https://www.mozilla.org/en-US/firefox/136.0/releasenotes/

The difference in time between firefox and librewolf security updates is less than the variance between users updating their machines.

[–] priapus@sh.itjust.works 1 points 1 day ago* (last edited 1 day ago)

I'm not saying Librewolf is insecure, I'm just saying its a bit less secure. They generally do a good job keeping up to date, but there can be delays if an update conflicts with their changes.

Librewolf is not just a Firefox config. You can look at the repo and see a number of patches. Without a paid security team to review these patches with every update, it is less secure.

I'm not saying not to use Librewolf, the likelihood of a zero day specifically targeting it and effecting a significant number of users is very unlikely, simply based off of the size of its userbase compared to more mainstream browsers.

[–] pastermil@sh.itjust.works 1 points 1 day ago

Thanks! Makes me wonder if there's a chance all this separate effort can come into one.

[–] priapus@sh.itjust.works 6 points 2 days ago* (last edited 2 days ago)

Also want to add that this was caused by a configuration issue. If you want security, don't use Firefox (or its forks) default configs, look into Betterfox. Apparently Zen also uses this as the base for its default preferences, which is a good decision.

[–] woelkchen@lemmy.world 129 points 3 days ago (2 children)

The "backdoor" mentioned in a single reply is very different from the telemetry issue. https://github.com/zen-browser/desktop/pull/927 was fixed a year ago.

I agree the telemetry should be either disabled or at the very least users should just get a config tab on first launch to opt out but the Lemmy submission is misleading and bordering on fake news.

[–] ripcord@lemmy.world 58 points 3 days ago

Either way...reading through this, this developer seems like an idiot.

He doesn't really understand what the code he's shipping is doing, he doesn't want to listen to people or ask real questions. He gets defensive to even constructive criticism

Not who I want driving the project behind something as critical as my browser.

[–] Ulrich@feddit.org 1 points 1 day ago* (last edited 1 day ago)

According to their privacy policy there is no telemetry: 1.1. No Telemetry. We do not collect any telemetry data.

[–] _cryptagion@lemmy.dbzer0.com 51 points 3 days ago (3 children)

I thought it just allowede easier debugging, sorry

What the fuck, this dude is making a browser and he doesn't know what shit in the code he's shipping even does?

[–] lazynooblet@lazysoci.al 23 points 2 days ago

Not really an excuse but I expect writing a browser is an extremely intensive project and perhaps they were unprepared.

Navigating any code base that isn't your own adds it's own challenge on top.

So at this point I think it's a "deer in headlights" case with some "head in sand" thrown in.

[–] aaron@infosec.pub 5 points 2 days ago

It's either obvious bullshit, or the bloke is out of his depth.

I suppose I should try and not just throw people under the bus, but I struggle to buy it.

load more comments (1 replies)
[–] kane@femboys.biz 54 points 3 days ago (4 children)

They just closed the issue without even acknowledging it, lol

[–] woelkchen@lemmy.world 74 points 3 days ago (2 children)

They just closed the issue without even acknowledging it, lol

They acknowledged the remote debugging backdoor issue and fixed it a year ago.

It was enabled due that zen was still a toy project and we needed people to easily open the debugger for easier bug fixing. This was due because zen was not in a daily drivable state and didn't gain any sort of popularity yet.

https://github.com/zen-browser/desktop/pull/927

The telemetry issue is entirely different. Their handling of that is naive at best, dishonest at worst but it is completely different from the "backdoor".

load more comments (2 replies)
[–] WhyJiffie@sh.itjust.works 13 points 3 days ago* (last edited 3 days ago)

are you really surprised? that bugreport did not contain a single actionable detail. and then it refers to some forum without any real reference, name or URL. there may be truth to it, and the other issue was actually very important and ridiculous, but this issue report is a big wontfix, reopen with real details

load more comments (2 replies)
[–] async_amuro@lemm.ee 30 points 3 days ago (11 children)

Fucks sake, reading through these comments it appears the Zen browser developer doesn’t know what they are doing.

What alternatives are people using? I’m on Mac, iOS and Linux, avoiding Chrome/Safari and not looking to go back to Firefox, is there anything reliable/secure available?

[–] monarch@lemm.ee 2 points 1 day ago

Have you settled on anything yet? I really like the essentials part of zen but incompetence on that level scares me.

[–] FreeBird@lemmy.dbzer0.com 29 points 3 days ago (1 children)

LibreWolf

[–] Wildly_Utilize@infosec.pub 9 points 2 days ago* (last edited 2 days ago) (11 children)

https://github.com/arkenfox/user.js/issues/1906

Not sure about the health of librewolf either, this thread suggests it's 3 overworked parttimers unable to keep up

"Hey all, I'm on the LibreWolf team, and it's true that since the departure of @fxbrit the project has taken a total nosedive when it comes to keeping up to date with Arkenfox and settings in general. We're still making releases, but settings did not get updated."

"As @threadpanic said, since fxbrit left we have been in a kind of "maintenance" mode in terms of settings. Mainly because we are really only three people left"

"LW since fxbrit left/died/who-knows has gone to shit - I worked with him behind the scenes to make the right choices and while he would do his own analysis, we always agreed, and his voice influenced them. Now they don't know what they are doing, and in fact have compromised security and make really stupid decisions. Same goes for all the other forks - really dubious shit going"

I use mullvad browser as it's maintained by mullvad and tor project and avoid stuff like Zen/floorp completely

[–] FreeBird@lemmy.dbzer0.com 7 points 2 days ago* (last edited 2 days ago) (1 children)

Jesus fucking Christ. I am tired man. I'm tired. It's the second time I switch browsers today.

[–] gruhuken@slrpnk.net 4 points 2 days ago

Crazy that there's pretty much nothing we can fully trust as consumers 🥲

load more comments (10 replies)
load more comments (9 replies)
[–] lemmeBe@sh.itjust.works 30 points 3 days ago (3 children)

Whenever people ask about privacy oriented Firefox alternative, firm answer from most of us is Librewolf. However, for some, shiny things are hard to resist.

[–] sem@lemmy.blahaj.zone 10 points 2 days ago (1 children)

Librewolf isn't on Android, but IronFox is.

[–] lemmeBe@sh.itjust.works 2 points 1 day ago

I just found out from another thread that Fennec is alive. When DivestOS went under, Fennec was pronounced dead too (that was when I migrated to IronFox) .

However, it seems someone continued maintenance. Does anyone have more details?

[–] gruhuken@slrpnk.net 4 points 2 days ago (1 children)

I like Floorp but i have no idea how much more/less private it is. I just like customising it

[–] lemmeBe@sh.itjust.works 2 points 2 days ago

That's okay. Means privacy isn't your primary concern.

[–] MangoPenguin@lemmy.blahaj.zone 5 points 2 days ago (1 children)

Librewolf also tends to break sites sometimes, I don't want to deal with that

load more comments (1 replies)
[–] 01189998819991197253@infosec.pub 11 points 2 days ago

Were they... vibe coding? ⁽ᵖˡᵉᵃˢᵉ ˢᵃʸ ⁿᵒ ᵖˡᵉᵃˢᵉ ˢᵃʸ ⁿᵒ⁾

[–] jonathan@lemmy.zip 22 points 3 days ago (2 children)

I didn't see anything about a backdoor at the link.

[–] tias@discuss.tchncs.de 37 points 3 days ago (6 children)

It's weird link to this issue with that title, since the problem is only referenced in the discussion. The actual backdoor issue is here.

[–] fartsparkles@lemmy.world 41 points 3 days ago (1 children)

I thought it just allowede easier debugging, sorry

Fuuuuck. I wouldn’t eat a sandwich made by this person let alone a web browser. Forking and mucking around in a code base they clearly don’t understand. I get the feeling they’re one of those chmod -R 777 people.

[–] tias@discuss.tchncs.de 20 points 3 days ago* (last edited 3 days ago) (1 children)

I agree. That response made me lose any trust I had and I actually went to check that I didn't still have Zen browser installed from some earlier test run. He sounds like a script kiddie.

[–] freely1333@reddthat.com 18 points 3 days ago

He was obviously very amateur by reading his posts on Reddit. Zen is more of a skin than a real browser, but I guess that’s essentially what a fork is at some point.

load more comments (5 replies)
[–] optissima@lemmy.ml 13 points 3 days ago

https://github.com/zen-browser/desktop/issues/5947#issuecomment-2741902234

It's a link to a previous issue that was fixed, but it's an egregious one.

[–] rikudou@lemmings.world 17 points 3 days ago* (last edited 3 days ago) (1 children)

Well, at least they explained it! /s

I thought it just allowede easier debugging, sorry

Source

Edit: This comment is a gem, too.

load more comments (1 replies)
[–] puppinstuff@lemmy.ca 10 points 3 days ago (6 children)

So disappointing. I just transitioned my personal browsing from Arc to Zen Browser because it was the closest vertical tab experience I could find. Now I hope one of the other browsers will figure out and implement good drawer-based vertical tab UI.

[–] magikmw@lemm.ee 11 points 3 days ago (1 children)

Any Firefox-based browser can use "Tree style tabs" it's vertical tabs from the time before they were cool. Very customizable.

load more comments (1 replies)
load more comments (5 replies)
load more comments
view more: next ›