Two flaws in a technology used by whistleblowers and the media to securely communicate material have been addressed, potentially jeopardising the file-sharing system’s anonymity.
OnionShare is an open source utility for Windows, macOS, and Linux that allows users to remain anonymous while doing things like file sharing, hosting websites, and communicating.
The service, which is accessible via the Tor network and designed by Micah Lee, director of infoSec at The Intercept, is utilised by the general public, journalists, and whistleblowers to protect their privacy.
OnionShare published a security advisory by IHTeam on October 4th.The team performed an independent evaluation of the product and discovered two issues, CVE-2021-41868 and CVE-2021-41867, that exist in versions of the software prior to version 2.4.
OnionShare’s file upload mechanism was determined to be vulnerable to CVE-2021-41868. According to IHTeam, OnionShare creates random usernames and passwords under Basic Auth upon startup in non-public mode, therefore uploading should be restricted to those with the appropriate credentials.
However, the team discovered a logic flaw in the receive mode.py function, which permitted data to be uploaded and keptdistantly before an authentication check.
CVE-2021-41867, the second vulnerability reported by the Italian security team, might be used to reveal the chat session’s participants. This flaw, discovered in OnionShare’s -chat parameter (chat mode.py), allowed unauthenticated users to connect to websockets, regardless of whether or not they had a Flask session cookie.
“It appears that it was not possible to intercept messages between users without a valid session ID, because the system heavily [relies] on the session to connect into the default room – and without a valid one, messages continue undelivered to illegitimate users,” the disclosing researcher Simone ‘d0td0tslash’ said.
“However, it is suggested that you do not initiate a socket.io connection without first validating the session cookie.”
On September 17, OnionShare developers addressed both vulnerabilities and released v.2.4, a new version of the software.
“Both of those advisories are pretty low risk because the attacker is required to know the onion address but not the password – something that’s not very likely to happen since both the onion address and the password are part of the same URL that people would share,” OnionShare creator Micah Lee told The Daily Swig in response to the disclosure.
“However, IHTeam diving into our code in search of flaws is very much appreciated, and I hope others do the same in the future.”