Open source software is used to protect a sender’s identity
UPDATED A tool used by whisteblowers and the media to securely send information has patched two vulnerabilities that could have impacted the anonymous nature of the file-sharing system.
OnionShare is an open source tool across Windows, macOS, and Linux systems designed to keep users anonymous while carrying out activities including file sharing, website hosting, and messaging.
The service, made available through the Tor network and developed by The Intercept director of infoSec Micah Lee, is used by the general public as well as journalists and whistleblowers to preserve privacy.
On October 4, IHTeam published a security advisory on OnionShare. The team conducted an independent assessment of the software and uncovered two bugs, tracked as CVE-2021-41868 and CVE-2021-41867, which exist in versions of the software prior to v.2.4.
CVE-2021-41868 was found in OnionShare’s file upload mechanism. By default, OnionShare generates random usernames and passwords in Basic Auth at startup in non-public mode, IHTeam says, and so uploading functionality should only be limited to those with the right credentials.
However, while analyzing the receive_mode.py function, the team found that a logic issue caused files to be
uploaded and stored remotely before an authentication check took place.
The second vulnerability reported by the Italian security team, CVE-2021-41867, could be exploited to disclose the participants of a chat session. This problem, found in OnionShare’s -chat parameter (chat_mode.py), allowed websocket connections from unauthenticated users, whether or not they owned a Flask session cookie.
“It seems that without a valid session ID it was not possible to intercept messages between users, since the system heavily [relies] on the session to connect into the default room – and without a valid one, messages remain undelivered to unauthenticated users,” the disclosing researcher Simone ‘d0td0tslash’ said.
“It is however recommended to avoid initiating a socket.io connection without prior validating the session cookie.”
OnionShare developers have now tackled both issues and released a new version of the software, v.2.4, on September 17.
Discussing the disclosure, OnionShare creator Micah Lee told The Daily Swig: “Both of those advisories are pretty low risk because the attacker is required to know the onion address but not the password – something that’s not very likely to happen since both the onion address and the password part of the same URL that people would share.
“But that said, I very much appreciate IHTeam digging into our code hunting for bugs, and I hope others do the same in the future.”
This article has been updated to include comment from Micah Lee.