A cybersecurity researcher has disclosed two vulnerabilities in the Tor privacy project that could facilitate the detection of network traffic and uniquely reveal who uses the tool.
Neal Krawetz, a researcher with extensive experience in cybersecurity, published in his blog two errors or vulnerabilities detected in the projecto Tor, which is focused on ensuring the privacy of its users, or at least that's what they want us to believe. In his post, Krawetz indicates that Tor is designed to avoid censorship on the network and evade surveillance, thus offering a high level of security and privacy for its users. However, the researcher points out two recent exploits that destroy the privacy and security properties offered by its developers, by allowing Tor users to be detected on the network.
One of the problems detected by Krawetz indicates that; It is possible to detect the width of the custom web browser scrollbar that is typically recommended by the project for use with Tor. This flaw allows a server to track the underlying operating system and therefore users, thereby preventing network surveillance from being evaded. Secondly, the researcher points to another exploit that allows companies, service providers, and others to block users from connecting directly to the Tor network; another exploit that does not prevent user censorship on the network.
Although Krawetz's publications are recent, the researcher points out that he has been informing Tor developers about the vulnerabilities he detected for several years. To do so, he provided reliable evidence proving the existence of these errors, although the developers did not, for the most part, take them as serious information to fix the exploits.
It may interest you: Ledger reports on a hack that leaked customer information over the past two months
Tor does not allow you to browse completely anonymously
For privacy lovers, by right, choice or necessity, the Tor network stands as an option that offers complete and total anonymity to its users when browsing the web. However, Krawetz comments that:
“Many users think Tor makes them anonymous. But Tor users can be tracked online; they are not anonymous.”
Krawetz pointed this out in his recent post, but he is not alone in expressing this view. For several years, companies and researchers have pointed out the vulnerabilities of the “privacy” network, arguing that these services are not as anonymous or unbreakable as many tend to believe.
Tor was designed as a safe and easy-to-use option for anyone who wants to browse the Internet safely and privately, protecting their personal data at all times. And although the developers' objective was met at the beginning, it is also true that for years the network has been facing several security vulnerabilities, which have been detected and alerted by experts, but which were often ignored by those responsible for the project, although they claim not to have been.
Despite this, many users still consider Tor to be one of the safest options on the market to protect their privacy and data.
Vulnerabilities detected in Tor
As mentioned earlier, Krawetz's recent posts point to two bugs in the Tor network that allow for the detection of network traffic, as well as the tracking and blocking of users. Similarly, in 2015, another bug was discovered in the network; one related to the assignment of nodes. HSDir which are used to connect users to web pages.
Developers and researchers Filippo Valsorda y George Tankersley They detected the vulnerability, explaining that the node connections were predictable, which is why any knowledgeable attacker could impersonate one of the HSDir nodes to which a website would connect, in order to access both the server data and that of the connected users.
By that time, the developers of the Tor project announced that they were working on a new generation of HSDir nodes to solve the vulnerability and, similarly, they pointed out that if a user executed such an attack, they would be detected on the network.
In that same year, researchers from Kaspersky Lab They also pointed out that Tor had certain vulnerabilities and errors that did not allow complete anonymity on this network. In addition, an investigation carried out by the Massachusetts Institute of Technology (MIT) and Qatar Computer Research Institute (QCRI) They also revealed a vulnerability on Tor, which exposes the identities and locations of users who use this network in an attempt to hide their activities.
More recently, in May of this year, another vulnerability was discovered that breaks one of the network's key privacy and security features by allowing JavaScript code to run on sites that users had previously blocked from running. Krawetz also detected this vulnerability and attempted to alert developers of the error found.
“Over three years ago, I attempted to report a vulnerability in the custom browser used by the Tor Project. The bug is quite simple: using JavaScript, the width of the scrollbar can be identified. Each operating system has a different scrollbar size, so an attacker can identify the underlying operating system. This is a distinctive attribute that can be used to help uniquely track Tor users.”
Krawetz claims he wrote a blog with details about the error and that the developers took the bug as “high priority” by assigning it the number 22137, and they immediately began working on fixing it. About 3 months later the developers marked the bug as fixed, and Krawetz received a reward for detecting the flaw. Despite this, the researcher points out that he checked later and the vulnerability is still present, as it was never fixed.
“Although it was marked as ‘resolved,’ the issue was never fixed.”
Tor's response to the detection of security vulnerabilities
Tor says the vulnerabilities and bugs recently discovered by the researcher are not unknown to the project's development team, and that they have been working hard to fix all the bugs found on the network.
On the other hand, although the researcher claims that he provided real evidence about the errors, Tor believes that this does not really support his statements, something that Krawetz took as incompetence on the part of the team, stating that he would not try to alert Tor again of any security flaws that he discovers. Krawetz claims that his publication is ““extremely technical”, so it contains all the details necessary for other network developers to replicate their findings.
Continue reading: Ethereum 2.0 validators exceed 466 thousand ETH blocked, with little left to start the genesis block
