Multiple zero-day vulnerabilities in Tor have been disclosed online

(Image credit: Tor Project)

After unsuccessfully trying to report bugs to the Tor Project for years, a security researcher has publicly disclosed two zero-day vulnerabilities which impact both the Tor network and the Tor browser.

In two recent blog posts, Dr. Neal Krawetz announced that he has decided to go public with details on multiple zero-days in Tor after the Tor Project failed to address the security issues he reported. Krawetz also plans to reveal at least three more Tor zero-days including one that can be exploited to show the real-world IP addresses of Tor servers.

Krawetz provided further insight on his difficulties dealing with the Tor Project as a security researcher over the years in a blog post, saying:

“After my public shaming of the Tor Project (in 2017), they changed their web site design to make it easier to report vulnerabilities. They also opened up their bug bounty program at HackerOne. Unfortunately, while it is easier now to report vulnerabilities to the Tor Project, they are still unlikely to fix anything. I've had some reports closed out by the Tor Project as 'known issue' and 'won't fix'. For an organization that prides itself on their secure solution, it is unclear why they won't fix known serious issues.”

Tor zero-days

The first of the two zero-days disclosed by Krawetz could be used by organizations and ISPs to block users from connecting to the Tor Network. To do this, they would need to scan network connections for “a distinct packet signature” that is unique to Tor traffic. The packet could even be used to block Tor connections from initiating which would prevent users from connecting to the service at all.

While the first zero-day could be leveraged to detect direct connections to Tor guard nodes that allow users to connect to the Tor Network, the second zero-day can be used to detect indirect connections. These connections are used to create Tor bridges which are a special type of entry point into the network that can be used when direct access to the Tor network is blocked by companies or ISPs.

According to Krawetz, connections to Tor bridges can also be easily detected using a technique similar to tracking specific TCP packets.

Now that two-zero days affecting Tor have been disclosed with the possibility of three more being disclosed in the future, Tor users in countries with oppressive regimes such as North Korea and Syria soon may be unable to use the service. Hopefully though, the Tor Project will realize the seriousness of the zero-days disclosed by Krawetz and make an effort to fix them before this can happen.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring