I think it’s important to raise issues with project maintainers directly before publicizing issues and that’s been the case here however the devs are not really responding appropriately or showing a massive lack of incompetence.

For those not aware, Zen browser markets itself as privacy conscious browser however a serious backdoor has been found and multiple topics regarding its lack of privacy has been practically ignored.

It think it’s important to raise awareness of this as the browser is gaining popularity and it’s clear the devs lack the experience to secure the browser.

Edit Other github issues with lack of interest from devs https://github.com/zen-browser/desktop/discussions/5907#disc... https://github.com/zen-browser/desktop/issues/5947

I do think it's important to raise issues like this, but I personally hope that it means people put more careful eyes on it and pitch in patches so the project succeeds rather than people avoiding it.

(totally unbiased opinion from having just switched to it after apparently not enough research and not wanting to continue the browser hunt)

Is it worth adding (2024) to the title? That "backdoor" (remote debugging) was an issue dated 24 aug 2024. https://github.com/zen-browser/desktop/pull/927

Current title made it seem like it's an active issue, when clicking on the link it leads to a discussion forum about "Telemtry and privacy issues", so even the title and the link does not match.

Starting a bit of a tangent here I admit, but this makes me much more worried about the future of mobile browsing.

Sure, soon enough a decent non-chromium based desktop browser will come along, be it Zen or something else, but what about the mobile world?

Right now firefox is perfect for me: It makes the web browsable by allowing ublock origin, it syncs my tabs, history and bookmarks, it's great.

Moving to a scenario that we have a different browser on the desktop and a different one on the phone or, worse, the same on the phone but without adblocking sounds like a huge regression.

P.S. Regarding Zen: If you want to be taken seriously, or at least as something more than a toy project, teaching your maintainers how to talk to your (potential) users will go a long way. Telling them off will not gain you any friends. (I'm referring to the github discussion mentioned in a sibling comment: https://github.com/zen-browser/desktop/discussions/5907)

>I thought it just allowede easier debugging, sorry

When Zen browser was posted here first I saw that the people behind it mostly seemed to be uni students in their early 20s so on their side I'd cut them some slack for inexperience but on the other hand it's why I'd never recommend anyone to run a browser fork like this, you might as well start buying birth control off Craigslist.

Lots of people recommending "forks of forks of forks" browsers and also linux distros these days largely maintained like this, but from a security standpoint it's kind of crazy.

The repo owner is in damage control mode. He just renamed the title and commented on a 7 month old PR, now admitting it was a toy project back then. He claims it was "NOT because of un-experience" and that, 7 months after the fix, they "now provide the most private and secure experience". It doesn't seem convincing to me, but very comical.

@dang could you please update the title to

> Zen Browser has Remote Debugger enabled by default (2024)

to reduce confusion (as issue title was updated)

> It was enabled due that zen was still a toy project and we needed people to easily open the debugger for easier bug fixing. This was due because zen was not in a daily drivable state and didn't gain any sort of popularity yet.

I'm a little bit confused here. You are saying they are not responding appropriately but this was raised as an issue and merged the same day?

The developer response indicates that they were flipping security-sensitive configs based on vibes alone.

While the fix was merged promptly in this instance, they don't appear to have undertaken any kind of systematic reform.

If your main primary marketing line is privacy focused and you ignore multiple issues raised and avoid any and all discussions about the privacy you promise then I think its valid to be concerned.

Your premise that people should be able to market their project with promises and not live up to them, especially privacy in this day and age, is the real cancer. And people like yourself pushing the acceptance of this behaviour is cancer too.

“security problems are just bugs” - Linus Torvalds

And he is 100% right on this. The whole thread, or even that it got posted here on in shows the problem. It was just a bug. The maintainer fixed it. Open source works. You can't throw the whole project under the bus just because maintainer made a mistake, that happened to he a security problem.

My main concern is the lack of interest in the security problems being raised and the constant attempt at silencing of people raising issues or silence itself. Not just this bug but other links were provided on and the developers deliberate attempt at ignoring or or shutting down discussion. This isnt just about one bug. Dont be so naive. The developer is selling a product on a given feature, privacy and they neither care about it or have the ability to implement privacy properly.

What about the people who believe them that the browser is private when its not? What if genuinely someone relied on its privacy for their important work but in reality its not? This isnt about the developer. Its bigger than that and your ignorance on this is kind of part of the problem.

First of all: I'm not using Zen browser, I don't know what it is, what it sells etc. Frankly I don't care about Zen browser and I've not read the other links, you provided.

I wrote my post, because there is a strange thing happening when security bugs are discovered: Everyone seems to panic. And in every discussion on such threads people will throw in their alternatives that should be used because this one is clearly not up for the job...

Threads like this are actively hurting the project and the cause. The bigger picture is, that this behavior hurts all alternative projects. There is a constant barrage of problems that the maintainera are dealing with and everyone thinks, his problem should be solved first. This is not how building software works. As a maintainer you can't help everyone every time. And people like you, that run around on the Internet and create the feeling that the maintainer is careless, can kill the project. The mega corps have PR teams, that deal with problems like this. Because they know how dangerous this can get. Even Firefox isn't big enough that they can absorb all the shit that is thrown at them. How can some little project on GitHub deal with people like you? They can't and they can loose their project because of this.

I don't want that. I want alternatives to rise and thrive. I want an internet where sixteen browser engines are competing against each other, not two, or three. So please stop shitting on the little projects, that try to do better. Instead contribute, fill issues, and enjoy that it is possible to build together better software.

I want an internet where sixteen browser engines are competing against each other, not two, or three and that lives up to the claims that they set out and use as marketing. So please stop shitting on people who raise legitimate concerns and when maintainers suppress or ignore information about these concerns raised.

You dont know how many PRs Ive submitted to open source projects. So maybe dont make shitty claims yourself. I think holding people accountable for the statements they make is pretty much whats happening here. Yet people like yourself think its ok that companies or products say one thing but then do another.

You are right, that I assumed a few things. That wasn't right, I'm sorry.

But: this doesn't change the validity of my points.

Also: I assumed good faith, when I engaged with you. That was a mistake. After I posted my stuff here, I saw that you opened another thread on hn about Zen browser. If I had seen this earlier, I wouldn't have engaged with you at all. You are throwing around FUD about zen browser. I don't know why you are doing this, and I don't need to find out. As I said elsewhere, I don't care about zen browser.

Posting FUD (Fear, Uncertainty and Doubt) is the most useless type of content that gets posted. It gets upvotes, mostly because our brains are pretty much hardwired to engage with such content. I've sadly walked into that trap today.

...seven months ago, no less

If anyone is looking to stick with Firefox-based browsing, I’d recommend vanilla Firefox with arkenfox/user.js [0] and uBlock Origin.

[0]: https://github.com/arkenfox/user.js

This has definitely put me off using zen. I was actively testing it as a replacement for Firefox, but at least Firefox is upfront about what it's doing, and you can disable it (something not so easily done in any other browser, afaiu).

I've probably had Zen Browser uninstalled from my system for about a year, and I just checked my AppData folder, found a 'zen' folder which eventually became 'zen-browser', and 2300+ files still sitting in my AppData/Roaming folder. maybe it's leftover stuff from extensions I installed but.... I probably just forgot to check the "delete all user profiles and settings" box, but who knows.

Going to do a pretty thorough tidying-up of my PC after this. thanks for posting, OP.

Can anyone talk some confidence about the project altogether? When it was first on HN I skimmed through the repo's and just wasn't convinced this was a very good project to begin with.

How secure is the actual browser for example?

why use some new niche reskin hobby browser which can't even do the very basic thing of copying one of the user.js privacy improvement projects when actual competent alternatives like mullvad browser or librewolf exist.

This issue doesn't seem to talk about a backdoor at all.

There was apparently another issue that could be described as a backdoor, and afaict this issue was fixed.

Now, if you are concerned about the privacy of Telemetry, that's an entirely valid concern. But we're techies, can we please at least use the right vocabulary?

Can it just be forked into a branch with telemetry removed/disabled?

Yelp, back to librewolf it is.

“security problems are just bugs” - Linus Torvalds

And he is 100% right on this. The whole thread, or even that it got posted here on in shows the problem. It was just a bug. The maintainer fixed it. Open source works. It makes no sense to throw the whole project under the bus, just because one maintainer made a mistake, that happened to he a security problem. The last day this project closed 12 issues. Why is one issue, that was closed 7 months ago, such a problem, that we discuss this here? This is FUD against the project.