Tor Security Audit Reveals 17 Vulnerabilities
A comprehensive security audit of Tor, focusing on several key components, has uncovered 17 vulnerabilities, one of which is considered high-risk. The audit was conducted by the non-profit consulting organization Radically Open Security from April to August 2023. It covered the Tor Browser for desktop and Android, exit nodes, public services (SWBS, Onionoo API, and the metrics server), infrastructure components, as well as testing and profiling tools. The results of the assessment were published this week.
The audit, which was a crystal box penetration test (where testers have access to the source code), identified 17 different issues. Most of these are medium- and low-risk flaws that could be exploited for DoS attacks, downgrade or bypass protections, or to gain access to information. Some of the problems are related to the use of outdated or unsupported third-party components.
Most Serious Vulnerability: CSRF in Onion Bandwidth Scanner
The most critical vulnerability found was a CSRF (Cross-Site Request Forgery) issue affecting the Onion Bandwidth Scanner (Onbasca). This vulnerability could allow an attacker to inject their own bridges into the database.
Onbasca is a scanner run by directory authority nodes, which keep track of all currently active nodes and monitor the overall health of the network. This helps manage performance, distribute network load, and detect attacks. However, bridges are not included in this list and can be especially useful for users in certain countries, as they are harder to block.
According to the Radically Open Security report: “Attackers can lure a victim’s directory authority to their site and carry out a CSRF attack as soon as the victim’s browser is on the same network as Onbasca. This happens when the victim uses the Django web interface. As a result, pre-auth attackers can inject IP addresses they control into the database. When the regularly scheduled bridgescan command is run, the Onbasca application will connect to the attacker-controlled bridge.”
Previous Tor Security Audits
It’s worth noting that from November 2022 to April 2023, Tor also underwent a security audit by Cure53, which focused on identifying vulnerabilities related to user interface changes and censorship circumvention.