Researcher Discovered Two Zero-Days on Tor, but There Are More

  • A researcher who got fed-up with Tor Project’s ignorance has decided to publish two-zero days.
  • The man says there are another three a lot more severe zero-days, which he is keeping private for now.
  • Tor seems to be losing the battle to stay alive and trustworthy, as the team’s capacity is shrinking.

According to reports by security researcher Dr. Neal Krawetz, the Tor Project’s security situation is derailing, and the team behind the popular privacy-protecting browser and network aren’t rising to the occasion. As the man stated, he has already shared the details about two zero-day flaws with the Tor team, but they have done nothing about them.

Moreover, he claims to already hold another three zero-days, which he won’t reveal just yet. This is to allow the Tor Project the time to fix the other two first, as his goal isn’t to put people’s privacy and security at risk.

The researcher reveals that he has reported the flaws to the Tor Project, shared proof of concept exploits, log files, detailed descriptions, examples, and additional explanations. However, the people behind Tor’s development responded by closing the bugs as “known issues,” “informative,” or “brainstormy and researchy.”

These are bugs reported over two years ago and which the Tor Project closed, essentially ignoring the reports. So, the man has decided to open the tap of publicity and release detailed examples of two of the five zero-days he holds, hoping that Tor will do something about them now.

The first flaw describes how ISPs could block Tor users from connecting to the Onion network. It could be based on the identification of network data packet signatures that are characteristic to Tor nodes. The second zero-day was revealed in a follow-up post, giving away enough technical details for its replication and exploitation.

That second flaw describes a way to block Tor bridge relay connections by identifying obfs4 traffic. Bridges are an alternative method of connecting to the Tor network, so the two zero-days combined would allow someone to enforce Tor policies and prevent all ways of connecting to the net privately.

obfs4 IP
Source: The Hacker Factor Blog

As for the three undisclosed flaws, these are even worse, as the researcher said they could be used to reveal the user’s real IP address, de-anonymize Tor servers, and compromise the network in the worst possible way.

Back in April, Tor was forced to lay off 37% of its development team, as the pandemic had severely trimmed the donations and contributions the project received. That said, the Tor Project is already in a dire position – and the zero-day reports that surface are only increasing the rate of trust loss from the user community.


Recent Articles

How to Watch FireKeepers Casino 400 Online: Live Stream NASCAR

We have another NASCAR Cup Series race just around the corner, which is the FireKeepers Casino 400. We plan on watching the FireKeepers Casino...

How to Watch Diesel Brothers: Monster Jam Breaking World Records Live Online

The Diesel Brothers are back for a special event on Discovery, in which they're going to try to set seven new Guinness World Records....

How to Find and Use Your ExpressVPN Activation Code – Plus, a Troubleshooting Guide to Activating ExpressVPN!

To activate ExpressVPN’s premium apps, you’ll need to supply an activation code. So, let’s talk about how to find and use your ExpressVPN activation...