Two serious security vulnerabilities in OnionShare could expose users’ data. OnionShare is a secure communication platform popular among whistleblowers and security personnel.
According to a recent advisory from the IHTeam, their researchers spotted two security vulnerabilities in OnionShare.
Briefly, OnionShare is an open-source communication service offering secure chats, file sharing, and other communication features. The tool works over the Tor network and is popular among security researchers, journalists, and whistleblowers for private communications.
Regarding the bugs, the first of these includes an unauthenticated file upload (CVE-2021-41868). The bug existed due to a logic issue in the receive_mode.py function that allowed anyone to upload a file in a remote OnionShare instance before an authentication check.
The second vulnerability (CVE-2021-41867) is an information disclosure vulnerability that could expose chat participants. Describing this bug, the researchers stated in their post,
IHTeam observed that it was possible to initiate a websocket connection from an unauthenticated perspective and retrieve the full list of participants… The issue was found while analyzing chat_mode.py which allowed an unauthenticated user to connect via websocket (with or without a valid Flask session cookie). The leak of chat participants happened when emitting ‘joined’ message in the websocket channel.
The researchers observed that the vulnerabilities affected OnionShare versions until the then latest v.2.3.3. It means exploiting the bugs could have risked the security of almost all OnionShare users.
Following the bug report, OnionShare team addressed the matter and released patches. Releasing the new version on GitHub, the team confirmed to have addressed both the vulnerabilities with OnionShare version 2.4.
Hence, since the patches arrived before any exploitation, OnionShare users may continue using the platform without worries. Nonetheless, users must ensure using the latest software version to avoid any security risks.
Let us know your thoughts in the comments.