OnionShare: Secure communications platform used by whistleblowers and journalists patches data exposure bug
05 October 2021 at 12:35 UTC
Updated: 05 October 2021 at 12:44 UTC
Open source software is used to protect a sender’s identity
A tool used by whisteblowers and the media to securely send information has patched two vulnerabilities that could have impacted the anonymous nature of the file-sharing system.
OnionShare is an open source tool across Windows, macOS, and Linux systems designed to keep users anonymous while carrying out activities including file sharing, website hosting, and messaging.
The service, made available through the Tor network and developed by The Intercept director of infoSec Micah Lee, is used by the general public as well as journalists and whistleblowers to preserve privacy.
On October 4, IHTeam published a security advisory on OnionShare. The team conducted an independent assessment of the software and uncovered two bugs, tracked as CVE-2021-41868 and CVE-2021-41867, which exist in versions of the software prior to v.2.4.
CVE-2021-41868 was found in OnionShare’s file upload mechanism. By default, OnionShare generates random usernames and passwords in Basic Auth at startup in non-public mode, IHTeam says, and so uploading functionality should only be limited to those with the right credentials.
However, while analyzing the function, the team found that a logic issue caused files to be
uploaded and stored remotely before an authentication check took place.
The second vulnerability reported by the Italian security team, CVE-2021-41867, could be exploited to disclose the participants of a chat session. This problem, found in OnionShare’s parameter (), allowed websocket connections from unauthenticated users, whether or not they owned a Flask session cookie.
“It seems that without a valid session ID it was not possible to intercept messages between users, since the system heavily [relies] on the session to connect into the default room – and without a valid one, messages remain undelivered to unauthenticated users,” the disclosing researcher Simone ‘d0td0tslash’ said.
“It is however recommended to avoid initiating a socket.io connection without prior validating the session cookie.”
OnionShare developers have now tackled both issues and released a new version of the software, v.2.4, on September 17.
The Daily Swig has reached out to Lee and we will update as and when we hear back.