Bug found in Tor Browser for android


I think that I’ve found a bug within Tor Browser for android. When I visited disroots SearXNG instance, I noticed that the language was automatically set to en-IN(english-India), and that SearXNG automatically showed me Indian websites(I live in India). This was strange considering that I had not set any such preference earlier or provided any information that I was from India.

I initially assumed this must’ve happened because the exit relay for my connection might have been based in india, so I decided to check the location of the exit node I was using on various IP-checking websites. Interestingly, it showed that my exit relay was based in Luxembourg, not India. So I then forgot about this issue and later remembered it when I was messing around with my phones system language settings.

I then thought it might have something to do with my device language. So, I tested this by changing my device language to various other languages, and sure enough, the SearXNG instance was able to detect it. I think(I’m not sure) that this might potentially be a bug that could expose the country of the user in question. Please correct me if I’m wrong or if I’m being an idiot here, as I’m a noob when it comes to things like this.

I’ll provide some details regarding my OS, device, tor version, etc., below:

OS:Android 14, close to stock android(Stock ROM)
Device: Moto g34
Tor version: 13.0.14
Steps to reproduce: Go to a SearXNG instance, click on settings, and see if the device language matches the language shown by the engine
Tor Browser security level: Standard
Region I’m connecting from: India
Is tor censored in my country: no

I’m only reporting this issue because I’m concerned about search engines like Google and Bing using this info to partially fingerprint users.

Again, please tell me if I’m wrong or being an idiot here.

Thank you.



So the first thing to do is check what you are reporting via JS (which will match what you are requesting in headers)

  • visit TZP
  • scroll down to the fourth section named region
  • you will see something like this
  • apologies that its so tiny on a phone … just pinch to zoom, and ignore any and all red warning notations on the entire test (my Tor Browser JS detection has been broken on Android since TB13, so it’s not applying TB specific checks)

So there are two things here

  • language(s) which are also reflected in accept headers
  • locale

What do you report as?


Yes, we have a patch to remove the regional part from locales, but it might be broken.

In addition to what @thorin already said, could you please check in a site like myhttpheader.com what’s the value of Accept-Language for you? (It should match what you see in TZP, and possibly not contain en-IN, but en, or en-US).


it should match what you see in TZP

it should always matches languages and order but with q=0.x weightings. It certainly does on desktops - I tested them all because I am thorough :space_invader:

So my phone language is en-US. Going into settings and changing app language to fr (without a forced or prompted restart) this is what I get - so that’s definitely one problem

click me for pic

I’ll test later on with a restart


a quit and even a force stop didn’t do anything

@TorOps in one of your bad results on searX … what is your language in Settings > Language

    1. is the Request English versions ... on (circle slide to right) or off (circle slid to left)
    1. what in the list of languages has a check mark - both lines (i.e does it say Follow device language)
  • test on TZP and tell us the results


Apologies for the late response, I was busy from the last few days.

Anyways, I’ve tested on TZP and here are the results:

And Thorin, the request English versions slider is off, i.e., circle slid to the left, and in the list of languages, it says follow device language. Also, none of the languages in the list have a check mark next to them.

I hope this can be fixed soon! :slight_smile:

Thanking you,


1 Like

that’s weird

Unfortunately I do not have a non en-US phone. And there are several things going on, which may differ a little on mobile. Request English doesn’t behave the same when the original locale/language starts with en (such as en-IN, en-CA, en-GB). But the fact that the locale says en-US tells me things. Second is that this is not changing the languages to match the “request english” locale - i.e the bug I filed

One thing you could do is open about:config, search for intl and reset intl.accept_languages - but I don’t know exactly what state it is in (modified) - it probably thinks en-IN, en-US, en is correct, which is at least one of the issues



I wanted to try this:

So I tried going to about:config and yeah… It didn’t load. It just shows a blank screen.

1 Like

@TorOps I created Restrict the accepted languages to the ones whose localization is available (#42562) · Issues · The Tor Project / Applications / Tor Browser · GitLab. We’re going to solve it ASAP.
Thanks for your report.


So I tried going to about:config and yeah… It didn’t load. It just shows a blank screen

Hmm, you’re right - I thought we bypassed that lock - so for followup I opened TBA stable doesn't allow about:config (#42564) · Issues · The Tor Project / Applications / Tor Browser · GitLab