Report Bugs, Get $$ Like @atechdad

by tommy | September 29, 2017

 

This week, the Tor Project -- with support from the Open Technology Fund and HackerOne -- paid out $3,000 (the highest bounty) to a developer who reported a potential proxy bypass bug. An attacker could use the bug, which affected some Linux machines, to bypass Tor’s anonymity protections.

The day after Julian Jackson (@atechdad) reported the bug through HackerOne, we released Tor Browser 7.0.3. We saw no indication that it was used in the wild, and the bug didn't affect users of Tails, Whonix, or our sandboxed Tor Browser.

We appreciate everyone who takes the time to reports bugs to us. People responsibly disclosing bugs directly to us is how we keep Tor secure. Our thanks to everyone who’s been involved -- since launching our bug bounty program, we’ve paid out almost $7,000! If you'd like to be involved, head over to our HackerOne page to get started.

Comments

Please note that the comment area below has been archived.

September 29, 2017

Permalink

I found that the Tor bug bounty team is great to work. They resolved the issue within hours and were very communicative.

As an incessant Tor user, many thanks to Julian and to the Tor team for all bugfixes.

Our community has many enemies, but we are determined and not entirely bereft of resources, so cautious optimism about the future of Tor may not be inappropriate.

September 30, 2017

Permalink

- i reported yet bugs [@That's how we want people to disclose them] as far as i am concerned i do not want your money & participating at your bug bounty program.
- i prefer that dev & hacker team show us their improvement & their skill : it is their job & they are payed for.
- you are a bit deaf about bug, bad behavior, compromised tor team (https&noscript broken is a good example).
I would like you provide a page_test where as users, we could test TBB.
Proclaiming that you discovered a bug and solved it is too easy : prove it now.
A report_page_bug_test is welcome !

btw you promised to built your own fingerprint test : eff provide one outdated & not accurate..

torsandboxed is better than firefail +tor but ... if you have both installed (tor & torsandboxed) problem should occur & torsandboxed is not finished, unstable_use at your own risk.
punycode even activated did not work (it works with 7.0.6).

Someone propose 1 million for an exploit : take care , it is not for arresting the bad guys or be on the right side.
- without a contract you are not protected.
- without negotiation you are on the rules of an unknown team.
- without to be payed you give your resources, your work to someone else.
- without following from the beginning to the end your exploit , you cannot be certain that their proposition is true & their action is legal.
- they are looking for an exploit for penetrating the banks in Australia (trade via china/ financial market) : i guess that is an E.U_fr operation (usa deal) for learning how to work this obscure washing *machine and hiding their own funds & the funds of the countries : own sake.

In short you are a low spy involved in an illegal activity payed **** $ for let them be the king of 1/4 of the world market.
will you be payed 1 million ?
is it not a cheater game ?
what should be the risk (jail, accident, tax, blackmail) ?

btw trump (& others) was speaking about 'human being, democracy & bad things' when in the same time he spent 1,000000 $ renting a private plane (payed with the public taxes) for a week-end _ where is the bug ?

Only responding to the parts that pertain to stuff I wrote or stuff I know about, though this is hard to parse.

> - i prefer that dev & hacker team show us their improvement & their skill : it is their job & they are payed for.

I'm not getting paid to work on any of this at the moment.

> - you are a bit deaf about bug, bad behavior, compromised tor team (https&noscript broken is a good example).

I find it hilarious that they still haven't disabled the addon auto updater, after getting screwed by it twice.

> torsandboxed is better than firefail +tor

Yes.

> but ... if you have both installed (tor & torsandboxed) problem should occur

Either disable the normal Tor Browser's non-AF_LOCAL socks port, or always launch the sandboxed browser after launching the normal Tor Browser.

> & torsandboxed is not finished, unstable_use at your own risk.

Patches accepted. Alternatively, I'll accept large amounts of hard currency to work on it more, under certain conditions.

> punycode even activated did not work (it works with 7.0.6).

The sandbox intentionally forces IDNs to be displayed as punycode in the URL bar to thwart homograph attacks.

October 01, 2017

In reply to yawning

Permalink

Yawning, sorry you have to put up with people like that, lol. I do have a question though.

>The sandbox intentionally forces IDNs to be displayed as punycode in the URL bar to thwart homograph attacks.

Didn't Mozilla implement that upstream a long time ago? Is mainline (non sandboxed) TBB's behavior the same? Does displaying URLs have anything to do with the sandbox?

Oh and thanks for all the work you do!

i do not understand what you are speaking about ; it sounds you need these links where all is explained (april 2017) _ yes TBB & torsandbox are/were also vulnerable like chrome & firefox.

https://www.ghacks.net/2017/04/17/punycode-phishing-attack-fools-even-d…
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
*people like that are like yourself ...

> Didn't Mozilla implement that upstream a long time ago? Is mainline (non sandboxed) TBB's behavior the same?

At the time I added the modified preference, neither upstream firefox nor standard Tor Browser handled this in a way I deemed appropriate.

https://trac.torproject.org/projects/tor/ticket/21961

> Does displaying URLs have anything to do with the sandbox?

Not directly, no. But since the sandbox needs to alter the browser config anyway, it ships with certain other things changed.

September 30, 2017

Permalink

> Get $$
And how to do it anonymously?

October 01, 2017

Permalink

Hey, I'm not sure, but I think Tor Browser is not working properly on macOS high sierra. I've tried to reinstall it but even doing so it's way to slow compared to macOS sierra and some websites don't even load properly also I can't play videos even if allowing flash to do so. If anyone has any suggestion I'll be glad to hear it. Thank you!

Yes, Tor is slower than a vanilla browser without it as your traffic is bounced to three servers before it reaches its destination. While the speed has increased a lot over the past years we ultimately won't reach non-Tor performance.

Flash blocked in Tor Browser by default (although one should be able to get it running although that's not trivial) due to security concerns.

Not sure which websites are blocked but there are indeed some content delivery systems or websites themselves that don't want to have Tor users. There is not much we can do about that other than talking to and educating them about Tor and why it is important for millions of users.

October 01, 2017

Permalink

can i add a certificate (self-signed) at TBB (permanently) or must i expect a bug ?
can an onion be set in https , hsts (bugs could come from a cookie attack, mitm, vulnerablities with script activated e.g.)?
is it not better without ?
your kist model is coming soon : is it more resistant against bugs or just more difficult for the attacker to find a hole & to attack with success an onion site ?

You should be able to import certificates if you are allowing disk records. The default Tor Browser mode, though, is to disallow that.

There are .onions over HTTPS already, so, sure that's possible. What do you mean with "not better without it"?

KIST is a means for enhancing Tor performance, it's not something to make Tor more resistant to .onion site attacks.

October 01, 2017

Permalink

Hey I been using Tor on Facebook Onion Address Tor so good my IP address disappears off face of Earth.The CIA Trolls couldn't track down my location thankx Tor anonymity.No VPN can make your location disappear off Google map thankx for keeping me safe from illuminati identifying who I am so they can't use anything I say against me for control thankx guys

October 07, 2017

Permalink

I could run version 7.5a2 just fine on my Windows 7, 64 bit, sp1, with all the latest patches. However, when I try to run 7.5a5, it errors out without leaving any log files. when I install 7.5a2 again, as soon as it runs, it updates to 7.5a?, and errors out again.
Thoughts?

Yes. That could be related to the sandbox we ship for the first time with Tor Browser 7.5a5. Could test whether 7.5a4 still works for you (so we can narrow down the Tor Browser version that breaks for you)? You'll find it on https://dist.torproject.org/torbrowser/7.5a4/. If that's still the case could you try to set security.sandbox.content.levelto 0 and restart with your 7.5a5 bundle and test whether that fixes your problem? If you can't start 7.5a5 at all you could try to create that preference in 7.5a4 before updating by right-clicking on about:config. Thanks!

October 14, 2017

Permalink

"FIREFOX browsers will soon block "fake news" flagged by George Soros-linked left-wing groups"

It's that true?
Is that considered as a bug and/or a security problem/threat?

http://uk.businessinsider.com/mozilla-new-initiative-counter-fake-news-…
https://www.activistpost.com/2017/08/mozilla-joins-george-soross-effort
https://www.theguardian.com/technology/2017/aug/08/fake-news-full-fact-…

I dont need modzilla or any other to tell me what is"truth and facts", that's not democracy

October 20, 2017

Permalink

Hi! I can't download pdf from Tor Browser using download button, even with the last version (7.0.7).
I really appreciate any help you can provide.

November 04, 2017

Permalink

mail.com is somehow trailing me through multiple Tor circuits. When I go to mail.com it brings up a pre-filled form from an email address I signed up for earlier today. If I click on "New Tor Circuit For This Site," it still brings up the same pre-filled form, even though Tor is showing a new circuit with 3 different countries & IP addresses. Scary stuff. If mail.com can do this, who else is able to?

February 03, 2018

Permalink

I would like to report (minor) bugs with the Tor Browser Bundle but I am unable to file a report on Trac.

Trac is not compatible with Tor. Despite trying about 15 captchas ... it still thinks i'm 'spam'

May 09, 2018

Permalink

Dear Tor,

Trying to create an email address on mail.com but I keep getting blocked when using captcha. Message says "Your computer or network may be sending automated queries. To protect our users, we can't process your request right now". No matter how many browser configurations I tried it still doesn't work. Even with this very advanced browser here goes our dream to the free anonymous internet. Sadly, this isn't the only website that "knows" what Tor is doing. Apparently all those big corporation learn extremely fast how to "defend" and that's a biggie. Don't know how we can fight this but we MUST!

Best,

George