Multiple zero-day vulnerabilities in Tor have been disclosed online

(Image credit: Tor Project)

After unsuccessfully trying to report bugs to the Tor Project for years, a security researcher has publicly disclosed two zero-day vulnerabilities which impact both the Tor network and the Tor browser.

In two recent blog posts, Dr. Neal Krawetz announced that he has decided to go public with details on multiple zero-days in Tor after the Tor Project failed to address the security issues he reported. Krawetz also plans to reveal at least three more Tor zero-days including one that can be exploited to show the real-world IP addresses of Tor servers.

Krawetz provided further insight on his difficulties dealing with the Tor Project as a security researcher over the years in a blog post, saying:

“After my public shaming of the Tor Project (in 2017), they changed their web site design to make it easier to report vulnerabilities. They also opened up their bug bounty program at HackerOne. Unfortunately, while it is easier now to report vulnerabilities to the Tor Project, they are still unlikely to fix anything. I've had some reports closed out by the Tor Project as 'known issue' and 'won't fix'. For an organization that prides itself on their secure solution, it is unclear why they won't fix known serious issues.”

Tor zero-days

The first of the two zero-days disclosed by Krawetz could be used by organizations and ISPs to block users from connecting to the Tor Network. To do this, they would need to scan network connections for “a distinct packet signature” that is unique to Tor traffic. The packet could even be used to block Tor connections from initiating which would prevent users from connecting to the service at all.

While the first zero-day could be leveraged to detect direct connections to Tor guard nodes that allow users to connect to the Tor Network, the second zero-day can be used to detect indirect connections. These connections are used to create Tor bridges which are a special type of entry point into the network that can be used when direct access to the Tor network is blocked by companies or ISPs.

According to Krawetz, connections to Tor bridges can also be easily detected using a technique similar to tracking specific TCP packets.

Now that two-zero days affecting Tor have been disclosed with the possibility of three more being disclosed in the future, Tor users in countries with oppressive regimes such as North Korea and Syria soon may be unable to use the service. Hopefully though, the Tor Project will realize the seriousness of the zero-days disclosed by Krawetz and make an effort to fix them before this can happen.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough