Zen browser had a backdoor enabled by default

I think it’s important to raise issues with project maintainers directly before publicizing issues and that’s been the case here however the devs are not really responding appropriately or showing a massive lack of incompetence.<p>For those not aware, Zen browser markets itself as privacy conscious browser however a serious backdoor has been found and multiple topics regarding its lack of privacy has been practically ignored.<p>It think it’s important to raise awareness of this as the browser is gaining popularity and it’s clear the devs lack the experience to secure the browser.<p>Edit Other github issues with lack of interest from devs <a href="https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;discussions&#x2F;5907#discussioncomment-12366556" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;discussions&#x2F;5907#disc...</a> <a href="https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;issues&#x2F;5947" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;issues&#x2F;5947</a>

Is it worth adding (2024) to the title? That &quot;backdoor&quot; (remote debugging) was an issue dated 24 aug 2024. <a href="https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;pull&#x2F;927" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;pull&#x2F;927</a><p>Current title made it seem like it&#x27;s an active issue, when clicking on the link it leads to a discussion forum about &quot;Telemtry and privacy issues&quot;, so even the title and the link does not match.

Starting a bit of a tangent here I admit, but this makes me much more worried about the future of mobile browsing.<p>Sure, soon enough a decent non-chromium based desktop browser will come along, be it Zen or something else, but what about the mobile world?<p>Right now firefox is perfect for me: It makes the web browsable by allowing ublock origin, it syncs my tabs, history and bookmarks, it&#x27;s great.<p>Moving to a scenario that we have a different browser on the desktop and a different one on the phone or, worse, the same on the phone but without adblocking sounds like a huge regression.<p>P.S. Regarding Zen: If you want to be taken seriously, or at least as something more than a toy project, teaching your maintainers how to talk to your (potential) users will go a long way. Telling them off will not gain you any friends. (I&#x27;m referring to the github discussion mentioned in a sibling comment: <a href="https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;discussions&#x2F;5907" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;zen-browser&#x2F;desktop&#x2F;discussions&#x2F;5907</a>)

&gt;I thought it just allowede easier debugging, sorry<p>When Zen browser was posted here first I saw that the people behind it mostly seemed to be uni students in their early 20s so on their side I&#x27;d cut them some slack for inexperience but on the other hand it&#x27;s why I&#x27;d never recommend anyone to run a browser fork like this, you might as well start buying birth control off Craigslist.<p>Lots of people recommending &quot;forks of forks of forks&quot; browsers and also linux distros these days largely maintained like this, but from a security standpoint it&#x27;s kind of crazy.

The repo owner is in damage control mode. He just renamed the title and commented on a 7 month old PR, now admitting it was a toy project back then. He claims it was &quot;NOT because of un-experience&quot; and that, 7 months after the fix, they &quot;now provide the most private and secure experience&quot;. It doesn&#x27;t seem convincing to me, but very comical.

@dang could you please update the title to<p>&gt; Zen Browser has Remote Debugger enabled by default (2024)<p>to reduce confusion (as issue title was updated)<p>&gt; It was enabled due that zen was still a toy project and we needed people to easily open the debugger for easier bug fixing. This was due because zen was not in a daily drivable state and didn&#x27;t gain any sort of popularity yet.

I&#x27;m a little bit confused here. You are saying they are not responding appropriately but this was raised as an issue and merged the same day?

If anyone is looking to stick with Firefox-based browsing, I’d recommend vanilla Firefox with arkenfox&#x2F;user.js [0] and uBlock Origin.<p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;arkenfox&#x2F;user.js" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;arkenfox&#x2F;user.js</a>

This has definitely put me off using zen. I was actively testing it as a replacement for Firefox, but at least Firefox is upfront about what it&#x27;s doing, and you can disable it (something not so easily done in any other browser, afaiu).

I&#x27;ve probably had Zen Browser uninstalled from my system for about a year, and I just checked my AppData folder, found a &#x27;zen&#x27; folder which eventually became &#x27;zen-browser&#x27;, and 2300+ files still sitting in my AppData&#x2F;Roaming folder. maybe it&#x27;s leftover stuff from extensions I installed but.... I probably just forgot to check the &quot;delete all user profiles and settings&quot; box, but who knows.<p>Going to do a pretty thorough tidying-up of my PC after this. thanks for posting, OP.

Can anyone talk some confidence about the project altogether? When it was first on HN I skimmed through the repo&#x27;s and just wasn&#x27;t convinced this was a very good project to begin with.<p>How secure is the actual browser for example?

This issue doesn&#x27;t seem to talk about a backdoor at all.<p>There was apparently another issue that could be described as a backdoor, and afaict this issue was fixed.<p>Now, if you are concerned about the privacy of Telemetry, that&#x27;s an entirely valid concern. But we&#x27;re techies, can we please at least use the right vocabulary?

Can it just be forked into a branch with telemetry removed&#x2F;disabled?

Yelp, back to librewolf it is.

“security problems are just bugs” - Linus Torvalds<p>And he is 100% right on this. The whole thread, or even that it got posted here on in shows the problem. It was just a bug. The maintainer fixed it. Open source works. It makes no sense to throw the whole project under the bus, just because one maintainer made a mistake, that happened to he a security problem. The last day this project closed 12 issues. Why is one issue, that was closed 7 months ago, such a problem, that we discuss this here? This is FUD against the project.