The maintainers confirmed that Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.
“We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).” reads the advisory published by project maintainers.
Tails is a security and privacy-oriented Linux distribution, it is a portable operating system that protects against surveillance and censorship.
The root cause of the alert is a couple of critical zero-day issues, tracked as CVE-2022-1802 and CVE-2022-1529, in the Firefox browser that was addressed by Mozilla in May. The vulnerabilities were reported by Manfred Paul during the Pwn2Own 2022 hacking contest that took place in Vancouver last week:
The Tor browser is based on the Firefox browser and is developed as part of the Tor Project.
The CVE-2022-1802 vulnerability can allow an attacker to set up a rogue website to bypass some of the security built in Tor Browser and access information from other websites.
The Tails team pointed out that the flaw doesn’t break the anonymity and encryption of Tor connections, this means that it is still safe and anonymous to access websites from Tails if the users don’t share sensitive information with them.
“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.” reads the alert published by project maintainers.
This vulnerability will be addressed with the release of Tails 5.1 on May 31.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, domain name system)