Skip to main content

Tor rushing to patch vulnerability that threatens its USP

Tor developers are frantically working to issue a fix for a weakness in the anonymous dark web browser that discloses the identity of hundreds of thousands of users – and you don’t have to be the National Security Agency [NSA] to do so.

Related: NSA and GCHQ repeatedly tried to infiltrate Tor, documents reveal

The demasking method, which was ready for its unveiling at a security conference in Las Vegas, costs less than $3,000 [£1,760] and has the ability to reveal the identity of large numbers of users at the same time.

Instead the organisers of the session, called "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget", have cancelled it due to a legal request and officials responsible for Tor are close to releasing a fix that patches the vulnerability.

"Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found," Tor project leader Roger Dingledine wrote in an email to Tor user, according to Ars Technica. "The bug is a nice bug, but it isn't the end of the world. And of course these things are never as simple as 'close that one bug and you're 100% safe.'"

Dingledine added that the bug involved is a complicated one because the researchers involved didn’t hand over all the technical details when originally informing Tor officials about the vulnerability.

The researchers that discovered the bug are from the Carnegie Mellon University [CMU] and attorneys from the institution as well as the Software Engineering Institute [SEI] requested that the talk was pulled from the conference schedule.

Materials that were to be used in the presentation “have not yet been approved by CMU/SEI for public release” and the researchers Alexander Volynkin and Michael McCord haven’t explained why the talk has been cancelled.

Dingledine added that Tor officials didn’t ask Black Hat or CERT to cancel the talk and professed to having “no idea” that the decision to cancel the talk would be made.

Related: Edward Snowden hits legendary status for teaching about online privacy and Tor while stealing NSA secrets

Tor users are being increasingly targeted by the authorities investigating its use for illicit means and it was revealed earlier this month that the NSA is interested in anyone that has ever even searched for the software. It’s safe to say you have been warned!