Multiple zero-day vulnerabilities in Tor have been disclosed online as well as a malicious exit node operator stealing bitcoin and other nefarious activities.

A security researcher has disclosed two zero-days affecting Tor with more to come soon.

After unsuccessfully trying to report bugs to the Tor Project for years, a security researcher has publicly disclosed two zero-day vulnerabilities which impact both the Tor network and the Tor browser.

In two recent blog posts, Dr. Neal Krawetz announced that he has decided to go public with details on multiple zero-days in Tor after the Tor Project failed to address the security issues he reported. Krawetz also plans to reveal at least three more Tor zero-days including one that can be exploited to show the real-world IP addresses of Tor servers.

Krawetz provided further insight on his difficulties dealing with the Tor Project as a security researcher over the years in a blog post, saying:

“After my public shaming of the Tor Project (in 2017), they changed their web site design to make it easier to report vulnerabilities. They also opened up their bug bounty program at HackerOne. Unfortunately, while it is easier now to report vulnerabilities to the Tor Project, they are still unlikely to fix anything. I’ve had some reports closed out by the Tor Project as ‘known issue’ and ‘won’t fix’. For an organization that prides itself on their secure solution, it is unclear why they won’t fix known serious issues.”RECOMMENDED VIDEOS FOR YOU…CLOSECanon EOS R5 | Everything You Need To Know In 1 Minute00:15 of 01:31Volume 0%00:5000:00PLAY SOUND

Tor zero-days

The first of the two zero-days disclosed by Krawetz could be used by organizations and ISPs to block users from connecting to the Tor Network. To do this, they would need to scan network connections for “a distinct packet signature” that is unique to Tor traffic. The packet could even be used to block Tor connections from initiating which would prevent users from connecting to the service at all.

While the first zero-day could be leveraged to detect direct connections to Tor guard nodes that allow users to connect to the Tor Network, the second zero-day can be used to detect indirect connections. These connections are used to create Tor bridges which are a special type of entry point into the network that can be used when direct access to the Tor network is blocked by companies or ISPs.

According to Krawetz, connections to Tor bridges can also be easily detected using a technique similar to tracking specific TCP packets.

Now that two-zero days affecting Tor have been disclosed with the possibility of three more being disclosed in the future, Tor users in countries with oppressive regimes such as North Korea and Syria soon may be unable to use the service. Hopefully though, the Tor Project will realize the seriousness of the zero-days disclosed by Krawetz and make an effort to fix them before this can happen.

A single malicious entity controls nearly a quarter of all nodes used on the anonymous internet provider Tor Network and is using its position to steal bitcoin and other cryptocurrencies.

  • A cybersecurity analyst, using the pseudonym “nusenu,” said in a report this week a hacker now controls approximately 23% of the Tor Network’s exit relay capacity.
  • The Tor Network provides anonymous internet access with voluntarily run relays that route traffic in order to obfuscate users’ traceable and identifiable IP addresses.
  • The exit relay is the final stage that connects users to their requested websites.
  • Per the report, the hacker is using her/his position as a major exit relay host to stage sophisticated person-in-the-middle attacks, stripping websites of encryption and giving her/him full unrestricted access to traffic passing through her/his servers.
  • The malicious agent primarily focused on bitcoin mixer services, replacing wallet addresses so the mixer returns “clean” funds to the hacker rather than the original user.
  • A lack of enforcement on the Tor Network means the hacker has more than doubled her/his share of exit relays from under 10% last December, nusenu said.
  • It’s unclear how much cryptocurrency has been stolen and whether the malicious agent is engaged in other attacks.
  • At least one bitcoin mixer service has added an additional security layer preventing hackers from removing their website’s encryption.
  • The identity of the hacker remains a mystery and it isn’t clear if there’s any added motivation is for the attack besides stealing cryptocurrencies.