I just noticed that when I’m trying to search something on Chrome, at first google suggests global results similar to what I’m typing (e. g. suggests oppenheimer * when I typed “o”) but a few seconds later it changes the results relevant to my real IP address!
Well now you may say that it could be because my exit node is in my real country by accident, but it’s not possible. First of all Tor is banned here and there is no computer dedicated to Tor network here, secondly I checked my IP address through some websites and they showed a Tor IP in a different country. So I noticed when I’m surfing the web in Chrome and visit websites or using the extensions it uses Tor and the only place it reveals the real IP is in the search bar suggestions…
One thing else, each time I run Whonix and run Chrome in it for like 20 seconds I can not visit any websites or use extensions, but in the meanwhile the search bar gives me suggestions from the internet(probably using my real IP).
Which virtualizer?
Chrome is discouraged. Documented here:
You mean relevant to your geographic location?
Related:
A likely possibility: You previously performed activities related to your geographic location from the same Whonix-Workstation. Google set a cookie and remembered you, now suggesting things relevant to you. That’s what Google does. That’s why browsers other than Tor Browser at time of writing are discouraged.
Other possibilities:
- GeoIP database issues / a Google bug. We won’t know since it’s all closed source and running on Google’s server only.
- Previously using keys which only exist in your local language for Google search.
- Even if using Tor as a client is blocked in your country, Tor relays might not be blocked. I couldn’t easily find a list of Tor relays sorted by country. How would you know?
- Whonix-Workstation settings changes (such as language settings) which are detected by Chrome and leaked to Google.
- malware
- Changed any networking related VM settings?
You used an Unsuitable Test.
If this was an issue, technical users performing Leak Tests (or Security Reviews and Feedback - Whonix) would have had reported this already. Multiple users, among years long users would report the same issue. Not only new users with zero history.
Even if Google or anyone had the possibility to break Tor or Whonix, they would not inform us about their capability by showing showing more relevant search results.
Non-technical users lack the capability to find IP leaks. It requires knowledge on using packet analyzers and understanding their output or using some tool (such as a browser, command line downloader) running inside Whonix-Workstation and showing the user’s real external IP address. This requires being a sysadmin or similar.
That’s just the way it is. I am a non-doctor and therefore I lack the capability to perform heart surgery. There is no shame in that.
In summary: There is no evidence your IP was leaked from inside Whonix-Workstation.
I use “Oracle VM VirtualBox”.
I know using Chrome is discouraged but I had to use it cause I could run some extensions only it with the idea that “everything on Whonix goes through Tor”
You mean relevant to your geographic location?
Yes exactly.
I tested it on a fresh Chrome profile so it had no cookies at all.
I also removed my other language keyboard and the only one that remained is English.
GeoIP database issues / a Google bug. We won’t know since it’s all closed source and running on Google’s server only.
I don’t really get what you mean, if Whonix pass every web requests through Tor even if a program tries to spy it shouldn’t be able.
Even if using Tor as a client is blocked in your country, Tor relays might not be blocked. I couldn’t easily find a list of Tor relays sorted by country. How would you know?
Well I’m using Tor for a long time I’m pretty sure there’s no Tor relay here and also this issue happens every time, the possibility of this consequence is practically zero.
- Changed any networking related VM settings?
No sir, I haven’t.
Everything literally shows that somehow the IP leaked for a part of chrome whether it’s a bug, a malware or anything else.
Specifically difficult to mess up with, cause an IP leak with VirtualBox.
This can go wrong such as deleting the wrong folder, typo in the command or not deleting enough folders.
This can also go wrong.
Without exactly description, cannot be said if it was done correctly or not.
It’s a free or paid service of IP addresses linking these to geographic locations.
No matter what IP, user’s real IP address or Tor exit relay, Google (and others) use GeoIP database to map IP addresses to locations.
This can go wrong due to bugs.
There is no evidence for this except for a vague description and interpretation of Google search suggestions jumping to the conclusion of IP leaks.
Unless someone can demonstrate to run a command inside Whonix-Workstation that results in showing the user’s real external IP address, there is no anonymity / routing related bug. [1]
This report is not actionable. Nothing that could be done from the Whonix side.
Recommendations:
- Stop using Chrome.
- Use Tor Browser.
- Use a new VM.
If you believe there’s an IP leak bug in Whonix at this point there is not much you can do, except:
- Become a sysadmin, learn networking.
- Pay somebody to investigate this issue. (Not me, because I cannot see any issue.)
- Stop using Whonix.
[1] Excluding security bugs such as a hypothetical vulnerability that breaks VirtualBox, the kernel. But this isn’t applicable here. This here is more like “just use Chrome, just go to Google, boom, IP leak” claim rather than “complex explitation code breaking VirtualBox”.