Connect with us

Hi, what are you looking for?


Application Security

Tor Code Audit Finds 17 Vulnerabilities

Over a dozen vulnerabilities discovered in Tor audit, including a high-risk flaw that can be exploited to inject arbitrary bridges. 

Tor security audit

A comprehensive code security audit focusing on several components of the Tor anonymity network discovered more than a dozen vulnerabilities, including an issue that has been classified as ‘high risk’.

The audit, conducted by non-profit cybersecurity consultancy Radically Open Security between April and August 2023, covered the Tor browser, exit relays, exposed services, infrastructure, and testing and profiling tools. The results of the assessment were made public this week.  

The audit, a crystal box penetration test (where the tester has access to the source code), uncovered a total of 17 security issues. 

A majority are medium- and low-risk flaws that can be exploited to launch DoS attacks, downgrade or bypass security, and gain access to information. Some issues are related to the use of outdated or unmaintained third-party components.

The most serious of the flaws is a cross-site request forgery (CSRF) bug affecting the Onion Bandwidth Scanner (Onbasca). This high-risk vulnerability can allow an unauthenticated attacker to inject bridges into the database.

Onbasca is a bandwidth scanner run by directory authorities, special relays that maintain a list of currently-running relays. Bandwidth scanners can help monitor performance, distribute the load across the Tor network, and detect attacks. 

Bridges are unlisted relays that can be helpful to users under oppressive regimes as they are more difficult to block.

“Attackers can lure Directory Authorities victims to their site and perform a successful CSRF attack as soon as the victim’s browser runs in the same network as Onbasca. This is the case when the victim uses the Django web interface. As a result, pre-authenticated attackers can inject attacker-controlled IPs into the database,” Radically Open Security explained in its report. 

Advertisement. Scroll to continue reading.

It added, “When the bridgescan command is invoked, which runs regularly, the Onbasca application will connect to the attacker-controlled bridge. By doing this, attackers may be able to daemonize the hosted instance of Onbasca or carry out further attacks.”

The latest security audit comes after penetration testing firm Cure53 conducted a security assessment focusing on identifying vulnerabilities introduced by user interface changes and an audit related to censorship circumvention

Related: Critical Git Vulnerabilities Discovered in Source Code Security Audit

Related: Tor Network Removes Risky Relays Associated With Cryptocurrency Scheme

Related: Tor Network Under DDoS Pressure for 7 Months

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.