Finding the real address of Tor clients
The fine folks at Packetstorm Security have just published a paper "Practical Onion Hacking" (PDF download) that demonstrates how to exploit Javascript and Flash to discover the real identify of someone browsing via the Tor anonymous network.
From the paper:
Rather than attempting to exploit weaknesses in Tor, we make use of technology that 99% of the people browsing the web will have enabled: Javascript and Flash. There are two techniques we used:
- Causing a web-browser using Tor to "phone home", outside the Tor network
- Causing a web-browser using Tor "phone home", inside the Tor network, and deliver uniquely-identifying about the client, such as the computer’s hostname and IP address
I recently discussed how Javascript, Flash and other components of the Tor-enabled web browser Torpark could be used to identify you, and also created an improved version of Torpark to improve anonymity.
The paper describes a man in the middle attack using a subverted Tor exit node to inject send Javascript and ultimately a Flash application to the victim. However any web site could easily use the same method without needing to run a Tor exit node.
Flash applications can make direct HTTP requests (i.e. not using the host browser’s Tor connection), so a web site can send a Flash application back to a torrified browser that will then connect directly to that same web site. Combine with a unique tracking cookie and bingo… the web site has just mapped the real IP and hostname of the Tor user.
Conclusions of the paper: turn off Flash, Javascript, and just about everything else, ensure your DNS requests are being tunneled through Tor (Torpark does this for you), use SSL where possible to prevent third party alteration of traffic, and use text-based browsers like Lynx when possible.
Related posts: