Cybersecurity researcher Sick.Codes has discovered a major vulnerability on the Tor browser, allowing a correlation attack that can compromise the privacy of visits to v2 onion addresses.
The case was filed under CVE-2021-39246.
The vulnerability discovered affected versions of the Tor browser through 10.5.6 and 11.x through 11.0a4 and allowed a local attacker with physical access to affected devices to view metadata about v2 domains, more precisely, the exact timestamp that a user connected to a v2 onion address while using the –log or –verbose command line options.
This way, an attacker can identify the exact moment a Tor user connected to a new v2 onion website. This would allow the attacker to easily triangulate the user using the log file’s complete logs available in the connection timestamps.
The problem is amplified by the fact that this timestamp is created every single time a Tor client connects to a v2 onion address. This can then be compared and correlated with a server connection log or a compromised Tor endpoint, if the attacker gains access to these data points.
Using the above, an attacker will then potentially be able to nullify the confidentiality and integrity of the user’s Tor session when –log or —verbose are being used.
The vulnerability is currently not fixed and is not expected to be fixed due to v2 Onion addresses becoming deprecated in October 2021.
V2 onion site connection timestamps are logged at the exact moment the server responds:
Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline
Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline
Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline
Sep 24 16:29:02.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline
2021-07-02 – Researcher discovers a vulnerability on bounty platform
2021-07-07 – Report closed as informative
2021-08-17 – Researcher requests CVE
2021-08-17 – Vendor re-notified via sec mailing list and on bounty platform chat.
2021-09-10 – No response: researcher opens Pull Request to remove timestamps.
2021-09-24 – CVE published
Tor Browser latest 10.5.6 is affected.
Tor Browser alpha 11.0a4 is affected.
Last September, Tor announced that it would be deprecating v2 onion addresses.
In June 2021, the Tor browser began to warn users about this update every time they accessed a v2 domain. This warning gets logged with the exact timestamp of the server connection time while using the –log or –verbose command line options.
Previously in August 2021, Sick.Codes discovered a vulnerability with similar impact that has its origin in the present Tor vulnerability.
At that time, affecting Brave browser 1.27 and below where the browser permanently logged the server connection time for all v2 tor domains to ~/.config/BraveSoftware/Brave-Browser/tor/data/tor.log
Like it’s the case this time, the Brave vulnerability also allowed an attacker who obtained physical access to a device to view the exact timestamps that someone connected to a v2 onion address.
This could have helped the attacker establish the moment the user connected to a new v2 .onion site. Comparing this to server logs, the attacker would have been able to identify the affected user.
For additional security guides, check out our article on the best VPNs for Android.
Sick Codes https://github.com/sickcodes || https://twitter.com/sickcodes
Miklos Zoltan https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/
We believe security online security matters and its our mission to make it a safer place.