Zen browser had a backdoor enabled by default
17 comments
·March 22, 2025nobunaga
isidor3
I do think it's important to raise issues like this, but I personally hope that it means people put more careful eyes on it and pitch in patches so the project succeeds rather than people avoiding it.
(totally unbiased opinion from having just switched to it after apparently not enough research and not wanting to continue the browser hunt)
jofzar
I'm a little bit confused here. You are saying they are not responding appropriately but this was raised as an issue and merged the same day?
Retr0id
The developer response indicates that they were flipping security-sensitive configs based on vibes alone.
While the fix was merged promptly in this instance, they don't appear to have undertaken any kind of systematic reform.
SG-
but it got fixed. this is a free project, people like yourself are honestly a cancer to these projects and developers.
nobunaga
If your main primary marketing line is privacy focused and you ignore multiple issues raised and avoid any and all discussions about the privacy you promise then I think its valid to be concerned.
Your premise that people should be able to market their project with promises and not live up to them, especially privacy in this day and age, is the real cancer. And people like yourself pushing the acceptance of this behaviour is cancer too.
ckolkey
...seven months ago, no less
dimava
@dang could you please update the title to
> Zen Browser has Remote Debugger enabled by default (2024)
to reduce confusion (as issue title was updated)
> It was enabled due that zen was still a toy project and we needed people to easily open the debugger for easier bug fixing. This was due because zen was not in a daily drivable state and didn't gain any sort of popularity yet.
sevg
If anyone is looking to stick with Firefox-based browsing, I’d recommend vanilla Firefox with arkenfox/user.js [0] and uBlock Origin.
Barrin92
>I thought it just allowede easier debugging, sorry
When Zen browser was posted here first I saw that the people behind it mostly seemed to be uni students in their early 20s so on their side I'd cut them some slack for inexperience but on the other hand it's why I'd never recommend anyone to run a browser fork like this, you might as well start buying birth control off Craigslist.
Lots of people recommending "forks of forks of forks" browsers and also linux distros these days largely maintained like this, but from a security standpoint it's kind of crazy.
bschmidt977
[flagged]
ahofmann
“security problems are just bugs” - Linus Torvalds
And he is 100% right on this. The whole thread, or even that it got posted here on in shows the problem. It was just a bug. The maintainer fixed it. Open source works. It makes no sense to throw the whole project under the bus, just because one maintainer made a mistake, that happened to he a security problem. The last day this project closed 12 issues. Why is one issue, that was closed 7 months ago, such a problem, that we discuss this here? This is FUD against the project.
nobunaga
Please. Posting my reply to you to the same comment below
My main concern is the lack of interest in the security problems being raised and the constant attempt at silencing of people raising issues or silence itself. Not just this bug but other links were provided on and the developers deliberate attempt at ignoring or or shutting down discussion. This isnt just about one bug. Dont be so naive. The developer is selling a product on a given feature, privacy and they neither care about it or have the ability to implement privacy properly. HAve you checked the other links? Have you seen all the other privacy issues raised and how the developer has responded to them?
What about the people who believe them that the browser is private when its not? What if genuinely someone relied on its privacy for their important work but in reality its not? This isnt about the developer. Its bigger than that and your ignorance on this is kind of part of the problem.
I think it’s important to raise issues with project maintainers directly before publicizing issues and that’s been the case here however the devs are not really responding appropriately or showing a massive lack of incompetence.
For those not aware, Zen browser markets itself as privacy conscious browser however a serious backdoor has been found and multiple topics regarding its lack of privacy has been practically ignored.
It think it’s important to raise awareness of this as the browser is gaining popularity and it’s clear the devs lack the experience to secure the browser.
Edit Other github issues with lack of interest from devs https://github.com/zen-browser/desktop/discussions/5907#disc... https://github.com/zen-browser/desktop/issues/5947