A Texas-based research firm has found a critical flaw in TAILS, an anonymity-focused operating system touted by the likes of Edward Snowden, that puts users in danger of being de-anonymized and revealed to the world.
The vulnerability, found by Exodus Intelligence, rests with I2P, an anonymizing network that has been rising in popularity alongside the Tor Project, a far mor prominent tool for using the Internet anonymously.
Although the full technical details have yet to be released to the public—the I2P team has them and is working on a fix—we know that the vulnerability de-anonymizes TAILS users who are connected to the I2P network through remote code execution.
The vulnerability, which works on fully patched versions of TAILS and I2P, requires JavaScript to be enabled. Simply turning that off will protect you—at least from this particular attack.
MT “@ampernand the i2p 0 day requires you to have js enabled for it to work.” Default setting on Tails allows JS. Oops. ;)
— Aaron Portnoy (@aaronportnoy) July 24, 2014
I was expecting something 1337 but was disappointed. the i2p 0 day requires you to have js enabled for it to work.
— Jeff (@ampernand) July 23, 2014
Similarly, JavaScript has been used to attack and de-anonymize users of Tor, most notably when the FBI sacked the biggest Web host on the Deep Web in 2013.
“We publicized the fact that we’ve discovered these issues for a very simple reason,” Exodus wrote in a blog post, “no user should put full trust into any particular security solution.”
“By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others.”
I2P, which can be downloaded and used as a standalone program, has been bundled with the TAILS operating system for a little over a year.
Exodus Intelligence, which makes its money by selling critical software vulnerabilities to entities like the United States government, sparked a major debate in the information security community when it announced the existence of flaws in TAILS and then I2P but did not immediately disclose the details to either project’s developers.
Exodus has since brought the teams from TAILS and I2p—both non-profit, volunteer outfits with limited resources and manpower—into the loop.
TAILS and I2P are both open-source projects but, due to their size, cannot often afford full audits from experts.
@semibogan @suqdiq @aaronportnoy @ExodusIntel please send developers and an audit team to i2p, it’d be greatly appreciated.
— Jeff (@ampernand) July 23, 2014
“We at Exodus are able to do what many software projects cannot,” the company’s blog continued, “perform security code audits and find exploitable vulnerabilities releasing them to the public.”
In response to critics, Exodus’s blog explained that the loud airing of the issue was deliberate. “Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security,” the company wrote. “It’s not enough to have faith upon security, rather to have an understanding of it.”
More detailed information about the vulnerability will be available to the public soon, representatives from both Exodus and I2P have promised.
Photo via tompagenet/Flickr (CC BY-SA 2.0)