January 31, 2024 at 12:36PM
A recent code security audit of the Tor network by Radically Open Security revealed 17 vulnerabilities, including a high-risk CSRF bug in the Onion Bandwidth Scanner. The issues can lead to DoS attacks, security bypass, and unauthorized access. This audit followed another by Cure53 that focused on user interface changes and censorship circumvention.
From the meeting notes, here are the key takeaways:
– A code security audit of the Tor anonymity network conducted by Radically Open Security between April and August 2023 revealed more than a dozen vulnerabilities, with one being classified as ‘high risk’.
– The audit covered several components including the Tor browser, exit relays, exposed services, infrastructure, and testing and profiling tools.
– A crystal box penetration test uncovered a total of 17 security issues, with the most serious being a high-risk cross-site request forgery (CSRF) bug affecting the Onion Bandwidth Scanner (Onbasca).
– Some of the vulnerabilities could potentially allow launch of DoS attacks, downgrade or bypass security, and gain unauthorized access.
– Directory authorities running Onbasca are at risk of being lured to perform a successful CSRF attack, allowing unauthenticated attackers to inject bridges into the database, ultimately leading to further attacks.
– The audit follows security assessments by Cure53 that focused on user interface changes and censorship circumvention.
These takeaways highlight the critical vulnerabilities identified in the Tor network and emphasize the urgent need for remediation to ensure the network’s security and integrity.