[tor-bugs] #14841 [Tor Weather]: information disclosure: is a given email subscribing to any relay? (and which one?)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 10 07:54:09 UTC 2015
#14841: information disclosure: is a given email subscribing to any relay? (and
which one?)
-------------------------+---------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Weather | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+---------------------
The tor weather website can be used by an attacker to find out wheater a
certain email address is:
- subscribed to any relay
- including which relay exactly (if any)
Since subscribers are usually the operators of the given relays this can
be used to find operators of relays for further targetet attacks.
This weakness is only relevant for relays where the operator choose to use
a separate email address or an empty contact info (to avoid linking his
identity with a relay publicly).
Reproducer:
send subscribe requests via https://weather.torproject.org/subscribe/
as soon as you get, you can tell that you found one:
{{{
Tor Weather - Oops!
You are already subscribed to receive email alerts about the node you
specified.
}}}
fix:
easy: The response to the subscribe request should always look the same.
Don't send out an email in case the email was subscribed already.
more user friendly:
The response to the subscribe request should always look the same.
+ Send out an email that tells the supposed subscriber that he is actually
already subscribed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14841>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list