The Tor Project, the non-profit that maintains the Tor anonymity software, has patched a vulnerability in a section of its website that would have potentially put its visitors at risk of attack, or at least unexpected messages.
Roy Jansen, a security researcher with a history of uncovering vulnerabilities in websites, tweeted evidence of the cross-site scripting (XSS) vulnerability on Saturday. XSS allows an attacker to build a specific URL that injects malicious scripts into webpages, which can then be executed unknowingly by a user visiting the link.
“Maybe [the] Tor [network] isn't really in danger,” Jansen told Motherboard in a Twitter message. “But their userbase/blog visitors are.”
In his tweet, Jansen included a link to demonstrate the vulnerability. When clicked, users are directed to the "Archive" section of the Tor Project's website, but with an additional message inserted by Jansen.
“It frustrated that I never received any answer."
Possibly the most famous example of XSS is the so-called Samy worm, where, in 2005, then 19-year-old hacker Samy Kamkar created a worm that would add amass a mountain of new Myspace friends in a matter of hours. Other more recent XSS vulnerabilities have affected WordPress plugins,
Jansen claimed to have informed the Tor Project about the XSS vulnerability previously, but when he received no reply, he decided to publish some details.
“Tor Project, after sending 5 emails without a reply, probably you'll read this,” Jansen tweeted. Jansen forwarded Motherboard an email he ostensibly sent to a number of Tor mailing lists as well as the Tor Project's press contact on 31 December 2015, warning of the vulnerability, and Jansen said he originally found the issue a year ago. (The email to the Tor developer mailing list was not successfully delivered, because he was not able to post to it.)
“It frustrated that I never received any answer,” Jansen told Motherboard. “So I decided to set it public, in the hope they will patch it now.” It appears to have worked—while Motherboard was reporting on this story, the Tor Project patched the vulnerability.
Back in December, during the German hacking conference Chaos Communication Congress, the Tor Project announced its first bug bounty program. With sponsorship from the Open Technology Fund, and with help from bounty platform HackerOne, researchers may be paid for vulnerabilities they discover in Tor Project applications. That likely does not include issues with the Tor Project website, however, and the program has started out invite-only.
“We fixed a glitch in our blog—to be clear, it's our organizational blog and not Tor software—Tor users are not affected. There is no there there,” Kate Krauss, spokesperson for the Tor Project told Motherboard, referring to a literary phrase written by Gertrude Stein.
Jansen, who discovered the vulnerability, told Motherboard that he hasn’t received a reply from Tor Project.
“I am glad they fixed it all, but it feels so bad no-one even replied by a simply word: which is 'thanks'.”