Security Experts:

Connect with us

Hi, what are you looking for?



Tor Warns of Attack Attempting to Deanonymize Users

The Tor Project has disclosed details of an attack which appeared to be an attempt to deanonymize users of the popular anonymity network.

The Tor Project has disclosed details of an attack which appeared to be an attempt to deanonymize users of the popular anonymity network.

According to Tor Project Leader Roger Dingledine, the attack was detected on July 4 while the organization was trying to identify attacks leveraging a method discovered by researchers at Carnegie Mellon University’s CERT.

The researchers, Michael McCord and Alexander Volynkin, planned on detailing a way to break the anonymity network by exploiting fundamental flaws in its design and implementation at the upcoming Black Hat security conference, but their presentation was cancelled because their materials had not been approved for public release by the Software Engineering Institute at Carnegie Mellon University.

Tor AttackedDingledine believes that the attack they’ve detected could have been part of the experiments conducted by McCord and Volynkin. In fact, in the abstract of their presentation, which has been removed from the Black Hat website, the researchers claimed they had tested their method in the wild. Dingledine hopes that they were the ones conducting the attacks, but he’s not sure since the experts haven’t answered emails lately.

The Tor Project has been displeased with the fact that the researchers haven’t given them full access to the research. Dingledine says they’ve spent several months trying to get the information they needed to understand the flaws that expose Tor users.

The attack detected on July 4 was a combination of a traffic confirmation attack and a Sybil attack. The traffic confirmation attack involves controlling or monitoring relays (the nodes that receive traffic and then pass it along) in an effort to deanonymize users. The Sybil attack involved setting up roughly 115 new relays, which joined the network on January 30, but were only discovered on July 4. During the five-month period, these relays became entry guards for a large number of users, Dingledine said.

It’s uncertain when the attack started, but users who operated or accessed hidden services between early February and July 4 should assume they’re affected, Dingledine added.

“Unfortunately, it’s still unclear what ‘affected’ includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” the Tor Project leader wrote in a blog post.

“In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.”

The protocol vulnerability exploited in the attack was patched on Wednesday with the release of Tor and All relay operators are advised to update their installations.

“Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service,” Dingledine said. 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...