The maintainers confirmed that Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.
“We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).” reads the advisory published by project maintainers.
Tails is a security and privacy-oriented Linux distribution, it is a portable operating system that protects against surveillance and censorship.
The root cause of the alert is a couple of critical zero-day issues, tracked as CVE-2022-1802 and CVE-2022-1529, in the Firefox browser that was addressed by Mozilla in May. The vulnerabilities were reported by Manfred Paul during the Pwn2Own 2022 hacking contest that took place in Vancouver last week:
The Tor browser is based on the Firefox browser and is developed as part of the Tor Project.
The CVE-2022-1802 vulnerability can allow an attacker to set up a rogue website to bypass some of the security built in Tor Browser and access information from other websites.
“If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.” reads the advisory.
The Tails team pointed out that the flaw doesn’t break the anonymity and encryption of Tor connections, this means that it is still safe and anonymous to access websites from Tails if the users don’t share sensitive information with them.
“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.” reads the alert published by project maintainers.
The maintainers’ alert states that other applications in OS are not affected by the flaw. Thunderbird, for example, is not affected because JavaScript is disabled.
The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.
This vulnerability will be addressed with the release of Tails 5.1 on May 31.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, domain name system)
[adrotate banner=”5″]
[adrotate banner=”13″]