We'll Pay You to #HackTor

by gk | July 20, 2017

There are bugs among us

Millions of people around the world depend on Tor to browse the internet privately and securely every day, so our security is critical. Bugs in our code pose one of the biggest threats to our users’ safety; they allow skilled attackers to bypass Tor’s protections and compromise the safety of Tor users.

We’re constantly looking for flaws in our software and been fortunate to have a large community of hackers who help us identify and fix serious issues early on, but we think we can do even more to protect our users. That’s why if you can #HackTor and find bugs in our software, we want reward you.

Join our first public bug bounty

With support from the Open Technology Fund, we’re launching our first public bug bounty with HackerOne. We’re specifically looking for your help to find bugs in Tor (the network daemon) and Tor Browser. A few of the vulnerabilities we’re looking for include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of crypto material of relays or clients, and remote code execution. In January 2016, we launched a private bug bounty; hackers helped us catch 3 crash/DoS bugs (2 OOB-read bugs + 1 infinite loop bug) and 4 edge-case memory corruption bugs.

Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks. We’ll award up to $4,000 per bug report, depending on the impact and severity of what you find.

Here's how to get started

Sign up for an account at HackerOne. Visit https://hackerone.com/torproject for the complete guidelines, details, terms, and conditions of our bug bounty. Then, start finding and reporting bugs to help keep Tor and Tor Browser safe.

Happy bug hunting!

Comments

Please note that the comment area below has been archived.

July 20, 2017

Permalink

This is really nice to hear! I assume that vulnerabilities (or rather shortcomings) found in your patches for Firefox that can affect fingerprinting are included as well?

No. As the policy on HackerOne says, only Tor (the network daemon) and Tor Browser are currently covered. If we broaden the scope of you bug bounty program we'll announce that publicly.

July 20, 2017

Permalink

it is the duty of every user to help you (i have found yet like everybody at least ten and reported on this blog and o.s mailing-list) and i let the 'award' for your team ... you are not speaking about an audit & you do know that some supercomputer center open their doors for testing and finding bugs gratis ...
i use sandbox for my mail & tor as browser : i do not like some option/configuration (you should contact calomel for a better explanation e.g query ocsp).
you are not on dane so you should update and the addon & your site & tor _ https observatory is -according on my own opinion useless and a potential risk.
have you an aggressive program that i could submit/test tor ?
have you a site test ?
have you some bad address that i could try ?
i tried even fbi agency, cia, white house, military center and noticed some attacks but no bugs , sorry.
for finding bugs i provoked a lot (taxes & foreign agency) and received very aggressive responses : freeze & remote code execution (terminal ! ) , (local privilege escalation = slice installing a sid: sparsky), unauthorized access of user data (they looked for db & steno _ 5 pictures spoiled !) like usual but is it a clue of tor bug ? is it not a firefox or o.s one first ?
about relay ... you know that it is depending also on the person who is behind ... so i cannot speak for the others : sorry.

> have you an aggressive program that i could submit/test tor ?

The Debian software repositories offer various utilities which will attempt to check source code for insecurities. So you could download the last Tor server/client and Tor Browser source code and use them to look for problems. To be sure, I presume that Team Tor already does that routinely.

July 20, 2017

Permalink

This is excellent news. It has recently happened that two major sellers using onion have been taken down, so I fear there is an exploit available for Firefox that they are keeping very quiet about

There is no way for us to compete with government or private industry budgets in that regard, alas. And I don't expect that will change anytime soon. However, we still think awarding the amount of money we currently do award is way better than "just" acknowledging hard work on bug tickets or code commit messages.

so find one and sell it to them for 1 000000 $ (in fact they do not need you and it is illegal so you will have a direct access to the jail _ it is available only if you work for them with a contract lol)

July 21, 2017

Permalink

I always use Tor while surfing the internet yet somebody hacked into my computer and destroyed all four of my PC's using a VPN and merging his drivers with mine to the point that he could perform remote access on BIOS.

I don't know if that's relevant. If it is please provide me with an email to report the details.

Sounds like you clicked on a nefarious link. I doubt very much that tor can prevent such disasters.

BTW I'm now wondering whether the well-known anti-virus apps automatically protect against internet malware while using tor? My anti-virus app has an 'other browser' box which is enabled but I haven't a clue if this relates to tor?

I've used tor on the regular www network just as an experiment and am pleased to report that I experienced no real difficulties. That said, my Mozilla browser uses identical tor settings - where possible - with the exception of the 'whitelist', of course.

> BTW I'm now wondering whether the well-known anti-virus apps automatically protect against internet malware while using tor? My anti-virus app has an 'other browser' box which is enabled but I haven't a clue if this relates to tor?

Important points about what has been publicly discussed so far about state-sponsored malware include:

o major goals of the malware authors include:
+ defeating (or even exploiting for attacks) the latest anti-virus
+ defeating Tor
+ using "fileless" malware to establish persistence rather than leaving anything on a hard drive
+ attacking BIOS or microcontrollers (in hard drives etc) rather than the OS
+ remaining undetected
+ deflecting suspicion (preferably to an adversary) if detected
+ starting with unsophisticated recon and gradually increasing sophistication of attacks
+ increasingly sophisticated phishing campaigns to gain access to target networks
+ starting by exfiltrating file names and later gradually exfiltrating the actual files
+ hijacking third party servers for "staging" during covert exfiltration of files
+ hijacking third party servers for sending malware to targets
+ learning from other malware authors including criminal hackers

o the increasing role of surveillance-as-a-service companies
+ even governments with well-financed spy agencies (such as USA) hire them
+ companies such as Gamma, Hacking Team, and NSO sometimes work together
+ the worst governments of the world can and do hire the three named companies
+ these companies are concentrated in Israel, USA, UK, EU but are also found in South Africa, Russia, and Asia
+ contrary to US Congress claims, Kaspersky may *not* be simply a catspaw of Putin (certainly this is one A/V company which has not hesitated to discuss NSA malware in public, which gives an invaluable counterbalance to the eagerness of "Western" AV companies to discuss RU malware)

o the scope of the targeted populations is rapidly increasing, and currently includes:
+ soda tax activists
+ children of friends of "interesting people"
+ human rights activists
+ bloggers who express support for the Black Lives Matter or Occupy movement
+ local, provincial, and national level politicians
+ scientists (esp. in politicized fields like climate change and cybersecurity)
as well as such obvious categories as
+ heads of state
+ local, provincial, national government employees
+ telecom engineers, power grid technicians
+ reporters

o the worst governments in the world (even poor ones) can and do hire SAAS companies

o increasingly, many governments appear to share information with criminal elements such as drug cartels (which may even help pay for the SAAS subscriptions)

o countermeasures by targeted populations *can* be effective in hindering intrusions

I suggest that Tor users make a habit of checking Techdirt and:

Citizen Lab irregular but frequent publications of studies of state-sponsored malware:

https://citizenlab.ca/

Wikileaks publication each Friday of leaks from Vault7 (CIA malware):

https://wikileaks.org/

And, over time, it is very helpful to study the documents in EFF's (incomplete) collection of published Snowden leaks:

https://www.eff.org/nsa-spying/nsadocs

as well as other Wikileaks publications, such as their study of how US secret agents regularly dox themselves (and provide vast amounts of "order of battle" type information plus code names and techniques) at publically readable job sites catering to the US military-surveillance-industrial complex.

> My anti-virus app has an 'other browser' box which is enabled but I haven't a clue if this relates to tor?

If there is an option for "Firefox", you could probably try checking that box, but I defer to the expertise of Team Tor.

Every single one of those claims were non-sequitors. There is no such thing as an attack involving "merging his drivers with your own". Most likely, you got a regular old virus, or perhaps some script kiddie gave you a RAT, in which case stop downloading those dolphin screensavers. Also possible is that there was a simple power surge that destroyed all your computers.

As for the claim that someone could remotely access your BIOS, that's easy to check. Buy a device called an SPI reader, and you can download the data off your BIOS chip and compare it against the factory version.

I've seen many cases of people who have something go wrong with their computer, and immediately suspect a highly sophisticated attacker, or an attacker with no other goal but to destroy your hardware. I met one guy who's computer got slow because his GPU was overheating or something, and he was convinced that a flash drive he plugged into his computer infected his BIOS and messed with his GPU. It's bizarre paranoia bordering on schizophrenia.

Post more details and we'll be able to tell if there's something to this (i.e. you got an old virus that just wants to break shit), or if it's in your head.

July 21, 2017

Permalink

I have always wondered why you ended the Vidalia project, which allowed users to see what connections were being made in detail, in favor of allowing the Firefox browser, which had been hacked before, to control tor and show minimal information. This decision in itself has made me question your integrity in favoring providing less connection information rather than more and giving the browser, the weakest part of the package, far greater access to tor. I have noticed on several occasions connections that would start uploading data at a constant rate which I could not see due to the limited information you now provide in tbb. I can only suspect this was by design.

The first reason for deprecating Vidalia was that nobody was maintaining it, and it was rotting.

The next reason was that by consolidating everything into Tor Browser, we could start using the browser's auto update feature. That was huge, since before that people had to decide to update manually, which meant basically nobody updated in a reasonable time frame after releases.

Oh, and if you're thinking of using anything other than Tor Browser to browse with Tor, take a very careful look through https://sedvblmbog.tudasnich.de/projects/torbrowser/design/ and make sure that you are handling all of those fixes and features yourself -- you probably aren't, and all the other browsers have huge problems with application-level privacy.

If you want to figure out the usability issues for getting a local bandwidth graph back into Tor Browser, in a way that users know what's going on, I think that would be great!

July 21, 2017

Permalink

When registering at hackerone.com the terms and conditions include:

"To be eligible to receive a Bounty, however, you must provide HackerOne with accurate, complete and up-to-date information about you, including your mailing address, social security number (if applicable) and any other information that HackerOne reasonably requests, to allow HackerOne to legally send any Bounty to you and file the appropriate tax form following year end."

Is it possible to remain anonymous and get paid in Bitcoin instead?

Yes, me and my team would love to participcate as well, but dear Tor Bloggers, this offer is plain bullshit when a hacker cannot remain anonymous. Who owns HackerOne? The CIA? Zionists? Let's be honest, this Bug Bounty program must protect ethical hackers and Tor developers, otherwise this won't work. Please consider adding PaySafeCard right now and Dash (possibly even Dash Evolution) to the payout options for the future. Anonymity is key - even when helping. ;-)

> social security number

No American citizen should *ever* give their SSN to *anyone*.

Ever. To anyone. Not even the last four digits.

Example: when the Drump administration demanded that US state election officials give them a list of all the voters in their state, they asked in particular for the last 4 digits of their SSNs. Why? Because they already knew the first 5 for each voter.

@ arma:

Is it true that HackerOne is asking for SSNs? Can you explain why TorProject thinks that it an appropriate thing for a privacy-rights group to tacitly condone?

> Can you explain why TorProject thinks that it an appropriate thing for a privacy-rights group to tacitly condone?

Because the people stealing the fruits of my labor via the threat of violence, also demands that everyone files paperwork as well.

https://www.irs.gov/pub/irs-pdf/fw9.pdf
> An individual or entity (Form W-9 requester) who is required to file an information
return with the IRS must obtain your correct taxpayer identification number (TIN)
which may be your social security number (SSN), individual taxpayer identification
number (ITIN), adoption taxpayer identification number (ATIN), or employer
identification number (EIN), to report on an information return the amount paid to
you, or other amount reportable on an information return.

yawning

July 24, 2017

In reply to yawning

Permalink

[ I'm deleting most of your rant. Get a blog and post stuff there, and if you really want to address Shari, use e-mail. ]

You asked why a program that is paying people money is asking for information. I answered, though this information is also stated in their privacy policy:

> to allow HackerOne to legally send any Bounty to you and file the appropriate tax form following year end.

I assume that they make non-US people send in form W-8BEN instead.

July 21, 2017

Permalink

Is the bounty program also working for Open-Core developers that fix things about Tor that cannot be fixed by software ?

July 21, 2017

Permalink

A major flaw is that by virtue of having three relays, the middle relay is privy to the two relays that are the entry and exit. That lets a non-global adversary make ad hoc requests to the ISPs as to the identity of the user and the destination server. That kind of dragnet could even be automated.

But the middle relay doesn't know that the particular circuit it sees is interesting?

If the attacker is in a position to just collect info from all the ISPs on the Internet, then most systems, including Tor, are in bad shape.

July 23, 2017

In reply to arma

Permalink

Speaking of governments demanding data from ISPs, this just came out:

https://www.eff.org/who-has-your-back-2017

Among the worst companies surveyed: ATT, Comcast, Verizon
Among the best: Credo Mobile, Sonic

As another example of the crucial role played by corporate lobbying and the American political mess: providers such as Sonic are currently prevented from expanding by what are effectively eternal monopolies granted by most states and cities to the worst providers (ATT, Comast, Verizon).

Someone asked above about issues other than technical flaws in Tor itself, and this would be an example of such an issue.

July 23, 2017

In reply to arma

Permalink

so users of Tor (& most system) must do much effort for re-appropriate the net for themselves : the more users the more safe you are (encryption is your friend).

July 22, 2017

Permalink

So just throwing this out there - the comment thread got very long and confusing.

Could someone please post the actual link for me to go hunt for Tor's bugs please? I'd like to learn some things to become useful and master the internet. Preferably with as few distractions as possible. K, thanks.

Thanks for getting involved in the Great Bug Hunt!

I think the best way to get started is to do some reading of papers by established researchers in this very complicated and technically challenging area. Fortunately there is an extensive collection of free high quality (mostly) papers at

https://www.freehaven.net/anonbib/date.html

(Not a TP employee, just another Tor user who wants to help.)

July 22, 2017

Permalink

une faille à protéger dans Tor est de veiller à ce que les données concernant la cryptographie ne soient pas trop riches d'enseignements et de détails comme les techniques de cryptages des informations que j'ai trouvé sur le wikipédia. Un exemple: rien qu'avec mes bases de sciences d'un niveau de collégien, je peux envisager 2 techniques de subversion du Tor , la première: figer dans le temps 1 méga octet de données provenant des utilisateurs de Tor qui sont comptabilisable, imaginons 1 million d'utilisateurs , selon un mode de cryptage que j'invente en écrivant ceci qui se traduit par une alternance de 1 méga-octet de données figées dans un temps impartis couplé au nombre d'utilisateurs de Tor se répétant jusqu'à trouvé une logique. Imaginons une équation à 4 inconnus impliquant le million de TORIENS et le méga-octet figé il ne reste que 2 inconnus à résoudre et ces deux inconnus sont les deux clefs qui si elles étaient découvertes, serais les IP rangés à leur place géographique propre à lui.

Hello,

good question! Our plan is to handle researchy protocol-level attacks in a case-by-case basis. There is already plenty of literature on guard discovery attacks, so we would probably only reward reports about novel new attack techniques, or security bugs on code that is there to prevent guard discovery attacks. Feel free to get in touch with us, if you have a cool attack vector that is currently unknown.

July 23, 2017

Permalink

This author suggest that Tor team reveal too much details about Tor on wikipedia and that allow him to hack tor easily using 2 methods :
A - freezing 1 M0 data / 1000000 users then finding a logical sens
B - using a formula comparing 1 MO/10000000users

like that he obtains one key.

with 2 others keys ; it should find the ip & locate one user.

1° Ce n'est pas une faille cela s'appelle de la transparence:foss : c'est plus sûr.
2° wikipedia n'est pas une référence.
Votre exemple n'a pas de sens :
- il n' a pas de corrélation ente le nombre d'utilisateurs et les données ; de plus c'est crypté.
vous ne pouvez donc trouver une 'logique' !
- les formules mathématiques en oeuvre sont d'un autre ordre qu'une équation à 4 inconnus ; de plus les ip ne sont pas une personne localisée.
vous ne pouvez donc les déduire par 'astuce' !

* Vous décrivez un truc pour gagner au loto ce qui n'a aucun rapport avec Tor.

* You are describing a trick for winning at the loto :
you know the right number of the last week & the number of players & it should give you the number winner of the next week : absurd.

> This author suggest that Tor team reveal too much details about Tor on wikipedia and that allow him to hack tor easily using 2 methods :

There may be some misconceptions here.

o Wikipedia volunteers, not Tor Project, write Wikipedia content.

o Tor is Open Source so it is necessary and appropriate that the code and specifications be public and easily available for anyone to study.

o The Open Source model generally is based upon the premise that when anyone (with the required technical background) and study and try to break the code, and when everyone is encouraged to report problems or research findings to the vendor, cybersecurity of the product will improve.

For much discussion of (old and new) flaws in Tor and how we might try to fix those which have not already been addressed, please see

https://www.freehaven.net/anonbib/date.html

July 23, 2017

Permalink

The tor circuits change automatically and i think you people need to look after it
also it have some issue with google most often it consider the queries as automated or bot query plz fix it tell a method to fix

> The tor circuits change automatically and i think you people need to look after it

Are you referring to the fact that in current versions of Tor Browser, the underlying Tor engine creates new circuits when you type in a new url (but generally not when you click on a link in a web page)?

That's intentional, and the hope is to blunt certain deanonymization attacks on Tor users.

In general, known (effective) deanonymization attacks and current countermeasures tend to be counterintuitive to many people, even those with technical backgrounds. A good place to begin reading to get some idea of how difficult this is (for attackers, and even more, for defenders) can be found here:

https://www.freehaven.net/anonbib/date.html

(Not a TP employee, just a user like you, so I defer to their expertise if I got anything wrong.)

July 25, 2017

Permalink

Every time you enter yandex.ru as URL using Tor browser, it automatically redirects you to yandex.ua. Nothing like this happens while using any other browser...

July 28, 2017

Permalink

good

July 28, 2017

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

**************************************************
TOR does not work either in Tails or anywhere else!
Yandex has found the vulnerability and is using it!
**************************************************

I use Tor in Windows 10 PRO, as well as the operating system Tails (3.0.1), which I installed on USB according to the instructions from the site.

I use these tools for a long time and often - an experienced user (I use more than a year).

I work mostly on the same computer, where as the main operating system is Windows 10 Pro, and in Tails I boot through live USB.

I enter the Internet mainly through the Wi-fi access point, and also use my mobile phone (3g) frequently as an access point.

I enter the network almost automatically through bridges (obfs3) from the same computer.

Security settings - High.
There are no other extensions in the browser, except for those that were in the default browser.

Persistent Volume is (except for saving APT Packages, APT Lists, Dotfiles).

I'm physically in Ukraine (this is important) !!

ESSENCE OF THE CASE:

When working in Tails.

When you enter into the browser string DIRECT address yandex.ru I automatically transfer to the site https://yandex.ua/?nr=10331
******************
(PLEASE NOTE THIS NUMBER IS IT BY MY COMPUTER'S NAME !!!!!!!!!!!! NUMBER CHANGED FOR ANONYMITY)
*******************
In this case, the weekend is in France! And not in Ukraine!

(The last numbers changed for anonymity)

RE-LOADED !!!!!

I stopped in Tails again.
Included Persistance Volume, bridges obfs3, Security settings - High.
The result is the same! (The output node was in Finland!)

ATTENTION!!!
Installed the Tails OS by cloning to another USB.
Booted already from her. No other settings were made. I entered the network directly - without bridges.
The result is the same! (The output node was in Sweden!)

Remind: No scripts, no left plugins (all only from the box), no JavaScript - nothing. All done according to the instructions from the Tails website.

ATTENTION!!!

Boot into the main OS Windows 10 PRO, launched Tor, typed in the address bar yandex.ru - The result is the same! (The output node was in the USA!)

Check it yourself and pass it on to everyone!
TOR does not work either in Tails or anywhere else!
Yandex has found the vulnerability and is using it!
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErXPHf5oWOgSVW82bH8EL3q75mQEFAll7kdIACgkQH8EL3q75
mQHf9xAAgCxUpBoHnAfl5Nt21iEkYp6j8w3qxgxGnLO/PNcXrnlEvGG+cM0IlgDW
QT23KU/mZY2LAc+LOCPOMIb5uAfhHHH2GV2CWi3mJ+4NuySDi5eVXrdhVncg4iq+
7WWGTBHDA7v9JfB/yDiaLapsHXUyQ3duG0hLTEa6zCaZ1SxJYDrc40dwe57yl/Ij
KtnZbmlUP+4dsedWIvstjqBuBp6D5lFgkU7+22the8Hs31kWwPXNwKwikrKMPwj1
Ifchpipj/RKPeeXNaFAmmY4UheBrT+6OAdvuOCokI/6SASGRm9NYjIM0RiSGti9J
USEpi+PTEZwwYSDra1M44TUhDkj9Qxt1HMvmWLTQEdi3/LkOV2e8zUPJxRiFNSDX
pV+bCwm+ZCbbt03zN0UdXL/YyEc/4HhM3jh5vykdSigELA+6M5zPBecO9kEV0uSx
VV5qf19ckD7msXArvVcigb+m2nIwRDfdO5vqMwiqr3D6wj1U/9QUEqRUhyNsWaoK
NC6QYal1EMnezCD22Ns+9+n5O2VC0laW1VRdS+DjXvAcQaavkqdS6bjDUCADCbu0
A90vAdEDHigNdJD/0IGyiOaZ7BAagOLiz1l+yZb8VabEMm+uZzXBIZR6FWqAbKrE
NO6CnjfYa8vDVIBxseWeAvYldbbOdQ6OP+WvwGM2lZ7bFwsHqPA=
=zgM7
-----END PGP SIGNATURE-----

August 02, 2017

Permalink

Why not full disclosure? You can say "not to harm the users", but I say that NSA already knows everything researchers can find. How can we be sure that tor project is honest and is not exploiting the delay you have paid for? I insist on full disclosure.

It's hard to argue about the capabilities of the NSA. But for the sake of argument let's assume you are right about that. There are still lots of scenarios where other folks could be harmed (e.g. syrian dissidents) if we would not disclose vulnerabilities in a responsible way just because the are targeted by less powerful actors.

Could you rephrase the "exploiting the delay you have paid for"? You mean we'd just pay researchers to keep quiet while not fixing critical bugs as fast as possible? If so, then the same logic as above applies to that case: the longer we keep this critical bug unfixed the more likely it is that others will discover the bug, too, and start to exploit it. Thus, we have to much quickly to avoid that.

They absolutely do not know every bug which researchers can find. They are humans, too, after all. There was actually a paper about this, about the amount of "0day collisions" (0days kept private, but found independently by multiple parties). It wasn't specific to Tor, but it does present the case that most high-profile exploitable software will not necessarily have a large amount of independently-discovered 0days.

Now, the argument of full-disclosure on its own still has merit. For example, I make use of full-disclosure to patch my systems or otherwise mitigate the problem as soon as it comes out, and long before an official fix is released. This has nothing to do with the belief that "the NSA already has all those bugs".

You are free to report bugs you find to the full-disclosure mailing list instead of this bug bounty program.

September 22, 2017

Permalink

Hey, nice page...

I've got one question. Is it normal that everytime when I start Orfox on my phone I have to reconfigure NoScript?

Because of after every restart all webpages are whitelisted and when I go into the NoScript Configuration I see nothing, only Disable or Uninstall. When I press the Disable-button and enable it again then I can configure it and I can use the classic blacklist config.

Please try to fix it.

Greetings