Developers for the Tor privacy browser are scrambling to fix a bug that researchers say could allow hackers, or government surveillance agencies, to track users online. The vulnerability came to light Monday following the cancellation of a presentation titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" that had been scheduled to be given at the Black Hat security conference in Las Vegas.
Developers are close to fixing the breach, said Tor project leader Roger Dingledine.
"Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found," Dingledine said in an e-mail to Tor users. "The bug is a nice bug, but it isn't the end of the world. And of course these things are never as simple as "close that one bug and you're 100% safe."
Hundreds of Thousands Exposed
The de-masking exploit is said to be able to reveal the identities of hundreds of thousands of users, and was discovered by Alexander Volynkin and Michael McCord of Carnegie Mellon University. Attorneys for the university and from the Software Engineering Institute asked that the talk be canceled. The university said the materials that were to have been used in the presentation had not been approved by CMU or SEI for public release.
Dingledine wrote that Tor's developers now believe they understand the nature of the vulnerability the researchers discovered, even though the team has not completely disclosed the nature of the attack. Tor is working with the U.S. Computer Emergency Readiness Team to coordinate disclosure of the security details of the bug by the end of the week.
"We did not ask Black Hat or CERT to cancel the talk," Dingledine said. "We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made."
Fumbling in the Dark Web
Tor said it has been shown some of the materials that were to have been presented at the conference, but has yet to receive any slides or descriptions of the talk itself, other than what was made publicly available on the Black Hat Web page.
"It sure would have been smoother if they'd opted to tell us everything," Dingledine said.
Tor said it does not want to discourage future researchers from working with them to continue to discover new bugs in the browser.
"We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks. Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues," Tor said.
Previously, it was reported that the National Security Agency had successfully tracked the IP address of any Internet user who had either installed or even just conducted a search for the dark net browser. The U.S. intelligence agency is said to have tracked down the users after infiltrating two of the Tor servers in Germany. It then used that to build a profile of users based on their online habits.