Tor Browser Security Audit reveals 2 high security issues
The Tor Browser project asked the penetration testers at Cure53 to audit core components of the project. Among the components were the BridgeDB software, building infrastructure, specific Tor Browser alterations and rdsys software. Tor Browser is a Firefox-based web browser that is designed specifically for the purpose of keeping its users anonymous and allowing censored users to access blocked resources.
Out of scope of the analysis was a general analysis of the codebase of the Firefox web browser.
Cure53 analyzed the six main components over the course of 72 days starting in February 2023. The analysis divided the components into six distinct work packages. Eight skill matched senior testers went to work in the given time period.
The team found a total of nineteeen issues, of which three were deemed security vulnerabilities and the remaining sixteen miscellaneous, as they "incur little exploitation potential".
The two security issues rated high and the one security issue rated medium have been addressed by the Tor Project shortly after the review period ended.
One of the issues was found in the rdsys source code. The Resource Distribution System is used to provide censored users with resource access. It lacked resource registration endpoint registration, which could have allowed attackers to "register arbitrary malicious resources for distribution to users".
The second major issue that the researchers discovered was found in the returned bridge list, as it was not cryptographically signed. It could allow attackers to potentially eavesdrop on the connection or "with access to the server providing the bridge list".
The third and final issue, rated medium, was a privilege escalation from nobody to rdsys in deploy script.
The project implemented "robust authentication mechanisms" for all endpoints and "cryptographic means to verify Tor as the distributor". This should reduce the risk of unauthorized access and tampering significantly.
All in all, the auditors commended the project for "an admirably robust and hardened security posture and sound design decisions". Code
Tor Browser is a special web browser designed specifically to protect the privacy of its users and keep them anonymous on the Internet. It is based on Firefox ESR, but includes a number of modifications and features that Firefox lacks or does not set by default.
The full audit report has been published as a PDF document on the Tor Project website. You can access it here.
The Tor Project announced plans to run regular assessments of security and to share the findings with the public.
Closing words
The number of issues discovered during the audit is not uncommon for a project of this size. Only three of these were rated as security issues, the remaining 16 were rated low or informational only.
Still, for Tor Browser users, it is reassuring that the team acted swiftly and plans to run regular security assessments in the future to bolster overall security of the project.
