Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Trac@tracbot

New Identity bypass

The "new identity" bypass requires no JS and works with highest private and security level that Tor Browser has! The attack works because favicon cache is not truncated. An attacker may spread unique tokens as part of the favicon addressess.

The new identity may be traced to the old one, since we know which token is given to which user and have ability to test if the user has the exact token (use token once, mark it as used and generate more if required). Furthermore, because the favicon connection is not closed when the "new identity" is ran we have also the knowledge that the tor browser is still open. Favicons are flushed when browser is closed.

Trac:
Username: tahuttun

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information