"Tor Code Audit Finds 17 Vulnerabilities"

A comprehensive code security audit focusing on several components of the Tor anonymity network conducted by researchers at Radically Open Security discovered more than a dozen vulnerabilities, including an issue classified as "high risk."  The researchers conducted that audit between April and August 2023, covering the Tor browser, exit relays, exposed services, infrastructure, and testing and profiling tools.  The audit, a crystal box penetration test (where the tester has access to the source code), uncovered a total of 17 security issues.  The researchers noted that a majority are medium and low-risk flaws that can be exploited to launch DoS attacks, downgrade or bypass security, and gain access to information.  Some issues are related to the use of outdated or unmaintained third-party components.  The most serious of the flaws is a cross-site request forgery (CSRF) bug affecting the Onion Bandwidth Scanner (Onbasca).  The researchers noted that this high-risk vulnerability can allow an unauthenticated attacker to inject bridges into the database.

SecurityWeek reports: "Tor Code Audit Finds 17 Vulnerabilities"