Security Experts:

Connect with us

Hi, what are you looking for?



Tor Warns of Attack Attempting to Deanonymize Users

The Tor Project has disclosed details of an attack which appeared to be an attempt to deanonymize users of the popular anonymity network.

The Tor Project has disclosed details of an attack which appeared to be an attempt to deanonymize users of the popular anonymity network.

According to Tor Project Leader Roger Dingledine, the attack was detected on July 4 while the organization was trying to identify attacks leveraging a method discovered by researchers at Carnegie Mellon University’s CERT.

The researchers, Michael McCord and Alexander Volynkin, planned on detailing a way to break the anonymity network by exploiting fundamental flaws in its design and implementation at the upcoming Black Hat security conference, but their presentation was cancelled because their materials had not been approved for public release by the Software Engineering Institute at Carnegie Mellon University.

Tor AttackedDingledine believes that the attack they’ve detected could have been part of the experiments conducted by McCord and Volynkin. In fact, in the abstract of their presentation, which has been removed from the Black Hat website, the researchers claimed they had tested their method in the wild. Dingledine hopes that they were the ones conducting the attacks, but he’s not sure since the experts haven’t answered emails lately.

The Tor Project has been displeased with the fact that the researchers haven’t given them full access to the research. Dingledine says they’ve spent several months trying to get the information they needed to understand the flaws that expose Tor users.

The attack detected on July 4 was a combination of a traffic confirmation attack and a Sybil attack. The traffic confirmation attack involves controlling or monitoring relays (the nodes that receive traffic and then pass it along) in an effort to deanonymize users. The Sybil attack involved setting up roughly 115 new relays, which joined the network on January 30, but were only discovered on July 4. During the five-month period, these relays became entry guards for a large number of users, Dingledine said.

It’s uncertain when the attack started, but users who operated or accessed hidden services between early February and July 4 should assume they’re affected, Dingledine added.

“Unfortunately, it’s still unclear what ‘affected’ includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” the Tor Project leader wrote in a blog post.

“In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.”

The protocol vulnerability exploited in the attack was patched on Wednesday with the release of Tor and All relay operators are advised to update their installations.

“Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service,” Dingledine said. 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.