TOR Vulnerability Allows Attackers to View Exact Timestamp a User Connected to a v2 Onion Address

Miklos Zoltan

By Miklos Zoltan . 19 February 2022

Founder - Privacy Affairs

Cybersecurity researcher Sick.Codes has discovered a major vulnerability on the Tor browser, allowing a correlation attack that can compromise the privacy of visits to v2 onion addresses.

The case was filed under CVE-2021-39246.

The vulnerability discovered affected versions of the Tor browser through 10.5.6 and 11.x through 11.0a4 and allow a local attacker with physical access to affected devices to view metadata about v2 domains, more precisely the exact timestamp that a user connected to a v2 onion address while using the –log or –verbose command line options.

This way an attacker is able to identify the exact moment a Tor user connected to a new v2 onion website. This would allow the attacker to easily triangulate the user using the complete logs available in the connection timestamps in the log file.

The problem is amplified by the fact that this timestamp is created every single time a Tor client connects to a v2 onion address. This can then be compared and correlated with a server connection log or a compromised Tor end point, if the attacker gains access to these data points.

Using the above, an attacker will then potentially be able to nullify the confidentiality and integrity of the user’s Tor session when –log or —verbose are being used.

The vulnerability is currently not fixed and is not expected to be fixed due to v2 Onion addresses becoming deprecated in October 2021.

V2 onion site connection timestamps are logged at the exact moment the server responds:

Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Sep 24 16:28:52.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Sep 24 16:29:02.000 [warn] Warning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timeline

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Disclosure Timeline

2021-07-02 – Researcher discovers vulnerability on bounty platform
2021-07-07 – Report closed as informative
2021-08-17 – Researcher requests CVE
2021-08-17 – Vendor re-notified via sec mailing list, and on bounty platform chat.
2021-09-10 – No response: researcher opens Pull Request to remove timestamps.
2021-09-24 – CVE published

Impact

Tor Browser latest 10.5.6 is affected.

Tor Browser alpha 11.0a4 is affected.

Why is it Happening?

Last year in September Tor announced that it would be deprecating v2 onion addresses.

In June 2021 the Tor browser began to warn users about this update every time they accessed a v2 domain. This warning then gets logged with the exact timestamp of the server connection time while using the –log or –verbose command line options.

Additional Privacy Affairs guides:
VPN for Roobet – Using Roobet with a VPN
Best VPN for Mac – Picking a VPN for Mac
Disney Plus VPN – Unblocking Disney Plus with a VPN
Best VPN for Android – How to pick a VPN for Android
Best VPNs – How to choose a VPN

Related to Previous Brave Brave Vulnerability

Previously in August 2021 Sick.Codes discovered a vulnerability with similar impact that has its origin in the present Tor vulnerability.

At that time affecting Brave browser 1.27 and below where the browser permanently logged the server connection time for all v2 tor domains to ~/.config/BraveSoftware/Brave-Browser/tor/data/tor.log

Like it’s the case this time as well, the Brave vulnerability allowed an attacker who obtained physical access to a device to view the exact timestamps that someone connected to a v2 onion address.

This in turn could have helped the attacker to establish the exact moment the user connected to a new v2 .onion site. Comparing this to server logs, the attacker would have been able to identify the affected user.

Leave a Comment