TOR Vulnerability Allows Attackers to View Exact Timestamp a User Connected to a v2 Onion Address

Updated: 21 November 2021
Updated: 21 November 2021

Fact-checked by

Cybersecurity researcher Sick.Codes has discovered a major vulnerability on the Tor browser, allowing a correlation attack that can compromise the privacy of visits to v2 onion addresses.

The case was filed under CVE-2021-39246.

The vulnerability discovered affected versions of the Tor browser through 10.5.6 and 11.x through 11.0a4 and allow a local attacker with physical access to affected devices to view metadata about v2 domains, more precisely the exact timestamp that a user connected to a v2 onion address while using the –log or –verbose command line options.

This way an attacker is able to identify the exact moment a Tor user connected to a new v2 onion website. This would allow the attacker to easily triangulate the user using the complete logs available in the connection timestamps in the log file.

The problem is amplified by the fact that this timestamp is created every single time a Tor client connects to a v2 onion address. This can then be compared and correlated with a server connection log or a compromised Tor end point, if the attacker gains access to these data points.

Using the above, an attacker will then potentially be able to nullify the confidentiality and integrity of the user’s Tor session when –log or —verbose are being used.

The vulnerability is currently not fixed and is not expected to be fixed due to v2 Onion addresses becoming deprecated in October 2021.

V2 onion site connection timestamps are logged at the exact moment the server responds:

Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Sep 24 16:29:02.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Disclosure Timeline

2021-07-02 – Researcher discovers vulnerability on bounty platform
2021-07-07 – Report closed as informative
2021-08-17 – Researcher requests CVE
2021-08-17 – Vendor re-notified via sec mailing list, and on bounty platform chat.
2021-09-10 – No response: researcher opens Pull Request to remove timestamps.
2021-09-24 – CVE published

Impact

Tor Browser latest 10.5.6 is affected.

Tor Browser alpha 11.0a4 is affected.

Why is it Happening?

Last year in September Tor announced that it would be deprecating v2 onion addresses.

In June 2021 the Tor browser began to warn users about this update every time they accessed a v2 domain. This warning then gets logged with the exact timestamp of the server connection time while using the –log or –verbose command line options.

Additional Privacy Affairs guides:
VPN for Roobet – Using Roobet with a VPN
Best VPN for Mac – Picking a VPN for Mac
Disney Plus VPN – Unblocking Disney Plus with a VPN
Best VPN for Android – How to pick a VPN for Android
Best VPNs – How to choose a VPN

Related to Previous Brave Brave Vulnerability

Previously in August 2021 Sick.Codes discovered a vulnerability with similar impact that has its origin in the present Tor vulnerability.

At that time affecting Brave browser 1.27 and below where the browser permanently logged the server connection time for all v2 tor domains to ~/.config/BraveSoftware/Brave-Browser/tor/data/tor.log

Like it’s the case this time as well, the Brave vulnerability allowed an attacker who obtained physical access to a device to view the exact timestamps that someone connected to a v2 onion address.

This in turn could have helped the attacker to establish the exact moment the user connected to a new v2 .onion site. Comparing this to server logs, the attacker would have been able to identify the affected user.

Researchers

Sick Codes https://github.com/sickcodes || https://twitter.com/sickcodes
Miklos Zoltan https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/

Links

https://sick.codes/sick-2021-111

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39246

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39246

TOR Vulnerability Allows Attackers to View Exact Timestamp a User Connected to a v2 Onion Address

Written by: Miklos Zoltan

Connect with the author:

Founder & CEO Privacy Affairs

Miklos Zoltan is the founder and CEO of Privacy Affairs. Miklos has long-time experience in cybersecurity and data privacy having worked with international teams for more than 10 years in projects involving penetration testing, network security and cryptography.

Miklos founded Privacy Affairs in 2018 to provide cybersecurity and data privacy education to regular audiences by translating tech-heavy and "geeky" topics into easy-to-understand guides and tutorials.

Leave a Reply

Your email address will not be published.