OnionShare a file-sharing system used by journalists and whistleblowers to confidentially send information to any target location has revealed two vulnerabilities to their latest patch. If these bugs were not identified early, it might heavily impact the file-sharing system’s anonymous capabilities.
The system allows users to carry out activities including file sharing, messaging, and website hosting while being anonymous at the same time. This platform has been possible since it is an open-source tool across different Windows, Linux, and macOS systems.
Developed by The Intercept and made possible through the Tor network, the service’s availability is not limited to journalists and whistleblowers alike but also to the general public.
What is the reason behind the discovery of the OnionShare bug?
A team publishes a security advisory on OnionShare this October. They conducted a series of assessments of the software mentioned above and discovered two existing bugs. CVE-2021-41867 and CVE-2021-41868 were identified, which are also present in the software version before v.2.4.
The last bug is located by a particular team at OnionShare’s file uploading system, which generates random usernames and passwords in Basic Auth to startup in non-public mode. For this reason, the uploading functionality will have a limit to individuals with the proper credentials. But, after analyzing the “receive_mode.py” function, the researching team located a logic issue that causes the file to be remotely uploaded and stored before an authentication check occurs.
An Italian security team is a team that is responsible for the discovery of the first bug, CVE-2021-41867. The conflict of the bug is that it can exploit the discloser of participants in a chat session and in the Onionshare’s chat parameter “chat_mode.py” that the problem was identified. It allows WebSocket connections coming from a non-authenticated user regardless if they own a flask session cookie.
According to a disclosed researcher, it is not possible to intercept messages between users if there is no existing valid session ID. The researcher also added that messages will remain undelivered to unauthenticated users since the system relies on the session to connect in the default room. Lastly, the researcher suggests avoiding initiating a socket.io connection without validating the session cookie is a must.
As of today, developers of OnionShare tackle both issues and release a new software version.
