- Riots break out after a fake email about coronavirus went viral Thursday 8:59 PM
- Bloomberg edits debate clip to make other Democratic candidates appear speechless Thursday 7:50 PM
- Dad claims YouTube refuses to remove video of daughter’s murder Thursday 6:36 PM
- Video of Kanye leaving Kim in elevator to carry all their bags has people cackling Thursday 6:19 PM
- Orlando Bloom’s tattoo misspelled son’s name because of Pinterest Thursday 5:35 PM
- The Ahi Challenge is the latest dance taking over TikTok Thursday 4:40 PM
- Show criticized for putting rape victim in blackface to protect her identity Thursday 3:42 PM
- Woman becomes viral sensation after iconic ‘Shallow’ subway video Thursday 2:48 PM
- Prettyboyfredo tried to gift a bullied teen some $30,000 Nikes at school—he got detained Thursday 2:13 PM
- ‘Vanderpump Rules’ recap: Wedding bells and blows Thursday 1:50 PM
- A 16-year-old made a ‘meme guide’ to help her dad understand online trends Thursday 1:46 PM
- UCLA drops plans to use facial recognition after student pushback Thursday 1:07 PM
- ‘Star Trek: Picard’ recap, episode 5: ‘Stardust City Rag’ Thursday 12:56 PM
- Roger Stone sentenced to 40 months in prison Thursday 12:45 PM
- New The 1975 music video is full of memes you’ll love Thursday 12:28 PM
The hidden websites on the Tor anonymity network are supposed to be concealed behind a strong veil of technology. But as with any technology, human mistakes can undo almost anything.
A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests.
When an hidden service reveals the HTTP requests, it’s revealing every file—a Web page, picture, movie, .zip, anything at all—that’s fetched by the server.
Tor’s developers were aware of the issue as early as last year but decided against sending out an advisory.
The problem is common enough that even Tor’s own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.
In the case of this particular Tor Project machine, it doesn’t appear that there’s much danger to the users. Instead, the status page reveals a lot of server information but not much sensitive user data.
Alec Muffet from Facebook, which runs its own hidden service, said on Saturday that he’s been sounding the alarm on the problem for six months. Last year, he found a popular hidden service search engine with the same problem exposing active HTTP requests, meaning you could watch the searches being made in real time.
Muffet redacted the “most distasteful” results. Even so, the top search asks “How to get rid of 2 bodys.”
When alerted last year to the issue, Tor developers decided against sending out an advisory. In fact, Apache’s configuration problem has been known even longer than that.
To fix the issue on your own Apache-run hidden service, Muffet advises a one-liner from the shell of your server to disable the whole thing:
$ sudo a2dismod status
Photo via Andrew Stawarz/Flickr (CC BY ND 2.0)
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.