Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday November 07 2017, @06:32PM   Printer-friendly
from the tor-springs-a-leak dept.

Submitted via IRC for SoyCow1984

TorMoil, as the flaw has been dubbed by its discoverer, is triggered when users click on links that begin with file:// rather than the more common https:// and http:// address prefixes. When the Tor browser for macOS and Linux is in the process of opening such an address, "the operating system may directly connect to the remote host, bypassing Tor Browser," according to a brief blog post published Tuesday by We Are Segment, the security firm that privately reported the bug to Tor developers.

On Friday, members of the Tor Project issued a temporary work-around that plugs that IP leak. Until the final fix is in place, updated versions of the browser may not behave properly when navigating to file:// addresses. They said both the Windows versions of Tor, Tails, and the sandboxed Tor browser that's in alpha testing aren't vulnerable.

Source: https://arstechnica.com/information-technology/2017/11/critical-tor-flaw-leaks-users-real-ip-address-update-now/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by Anonymous Coward on Tuesday November 07 2017, @10:11PM (2 children)

    by Anonymous Coward on Tuesday November 07 2017, @10:11PM (#593840)

    Do you hover over every link on a webpage to check the URL before you click it?

    That only works if you have Javascript disabled as Javascript can change a link during the click action. (If you're using Tor Javascript should be disabled but often isn't due to it being enabled by default because the people setting the defaults are stupid fucktards that have no business even being around a computer let alone setting defaults in an application supposedly designed to be secure. *cough* But I digress...)

    Proof:

    1. Go to Google with Javascript enabled in a clean browser profile. (Clean profile in case some Adblock rule has implemented something to block this bullshit.)
    2. Search for something. Doesn't matter what. Preferably something where you know what the destination site should be. "SoylentNews" would be a good search term.
    3. On the results page, hover over a non-ad link. It will look like the site you expect it to be. Search for SoylentNews, get the link to this site. Nothing unexpected so far...
    4. Right-click the link, then close the context menu by clicking somewhere else. Now hover over the link again. Not where you expected to go, is it? That's malicious Javascript at work changing links as you click on them. Malicious Javascript served up directly from Google. Malicious Javascript with HEAVY obfuscation applied in order to try to hide exactly what they're doing. (View the source and try to read the Javascript. Ugly, isn't it?)
    5. Find another link, this time click and hold the left mouse button on it and drag the link a short distance away from where it was, but don't drop it. Before releasing the left mouse button, tap the escape key to cancel the click action, then release the left mouse button. Now hover over the link you just used the left mouse button on. Same thing, the link has been hijacked by Google's malicious Javascript so that it takes you someplace you didn't expect to go.

    I've had nothing less than some form of a complete brick-shitting WTF?! response from every person I've demonstrated this to. Every. Single. Person. I've demonstrated it to some very knowledgeable systems engineers and CSOs in the hopes that SOMEONE would have known about this. Nope. Everyone who's not a complete tin-hat paranoid (*waves to the crowd* HI EVERYONE!) thinks hovering over links is a safe way to tell exactly where the link will take you.

    1984? Nope, sorry, we went to plaid blowing past that at ludicrous speed a little over a decade ago and nobody even bothered to wave at it as we went past it.

    And people call me paranoid...

    Starting Score:    0  points
    Moderation   +5  
       Interesting=1, Informative=4, Total=5
    Extra 'Informative' Modifier   0  

    Total Score:   5  
  • (Score: 2) by MichaelDavidCrawford on Tuesday November 07 2017, @10:29PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Tuesday November 07 2017, @10:29PM (#593854) Homepage Journal

    I used it for a while but found that it didn't always work.

    Having an appealing meta description and an identical first paragraph after the header, combined with these sketchy links, enables your site to get more SEO without having anything to do with link popularity.

    When I first wrote about that, the javascript links were only a small sample. Most were the real link. I expect no one objected - you know like boiling a frog.

    --
    Yes I Have No Bananas. [gofundme.com]
  • (Score: 2) by urza9814 on Wednesday November 08 2017, @12:48AM

    by urza9814 (3954) on Wednesday November 08 2017, @12:48AM (#593902) Journal

    Do you hover over every link on a webpage to check the URL before you click it?

    That only works if you have Javascript disabled as Javascript can change a link during the click action. (If you're using Tor Javascript should be disabled but often isn't due to it being enabled by default because the people setting the defaults are stupid fucktards that have no business even being around a computer let alone setting defaults in an application supposedly designed to be secure. *cough* But I digress...)

    Agree with you about Javascript not always being disabled, but it's far worse than just rewriting links. If it rewrites the link to 'file:///...', you'd know *something* weird happened. Even if you didn't know exactly what or why, you'd notice.

    But I wonder if this flaw would still exist if the link is opened directly through a Javascript call. It won't open a browser tab, it won't redirect the page, it'll just fire a request to 'file:///whatever' and discard the response...but meanwhile your IP potentially gets exposed without you knowing anything happened at all. And without you clicking any link.

    This was IMO one of the great advantages of the old* Freenet network. No scripts to expose information and no servers to retrieve it. No active content was supported at all, and you didn't connect to a server you just retrieved static files from a distributed storage system.

    * I say "old" Freenet because I stopped using back during the 0.5/0.6 network split which was nearly a decade ago now. Based on the idiocy of some of those devs I wouldn't be surprised if they "fixed" that at some point...