On Wednesday afternoon, vulnerability and exploit research firm Exodus Intelligence disclosed a security vulnerability that would allow an attacker to deanonymize a user of Tails, the operating system that many journalists rely on to communicate securely with sources and that we have written about before. Tails is also integral to SecureDrop, our open-source whistleblower submission system, so we wanted to clarify if and how the vulnerability affects users of this system.
The vulnerability lies within the I2P software, which is bundled with Tails by default and can be used to connect to an alternative anonymity network. For this attack to work, a user would have to manually start the I2P software and view content that the attacker controls (e.g. by being tricked into visiting a specific website). Journalists and sources using Tails to access SecureDrop are not vulnerable to this attack unless they manually start the I2P software.
The Tails team and the I2P team have both received details about this vulnerability and are working on an analysis. Initial comments from an I2P developer suggests the exploit relies on the use of JavaScript.
JavaScript is a widely used programming language for making websites more interactive. In recent years, it has become nearly ubiquitous and most browsers enable it by default as a result. Unfortunately, JavaScript is also a common source of security vulnerabilities in browsers.
In the past, JavaScript exploits have been used by both the FBIand the NSA to attack users of the Tor anonymity network. Given these trends, we have long been encouraging SecureDrop users to disable JavaScript to protect themselves from malware that would use it to attack their browser and potentially deanonymize them.
JavaScript is not the only potential source of such exploits, but given its use in recent attacks, we believe it is prudent to disable it. This vulnerability only confirms that instinct. To do so, we recommend that sources (and everyone) use the NoScript add-on. The add-on is included in both Tails and the Tor Browser by default. To block all JavaScript, simply click the NoScript icon to the left of the address bar and select "Forbid Scripts Globally (advised)".
In a post published Thursday evening, the Tails developers suggest you protect yourself further by completely removing the I2P software every time you start the operating system. To do so, set an administration password and run the following command in the terminal: sudo apt-get purge i2p
This episode also shows why it's vital that we continue to support free software projects such as Tails, so they have enough funding to identify and fix potential vulnerabilities quickly. Currently, we are crowd-funding for four such free and open-source tools, including Tails and the Tor Project. Please consider donating to support these tools that can better protect the communications of journalists and sources.
If you have any questions, please email info@freedom.press.