Tor Browser can leak your identity through side-channel attack

Temporary workaround plugins:

Chrome:

Firefox:

Tried adding this to gitlab TOR bugs, but they will not validate my account(Yet another bug with reporting bugs!)

This attack is fixed on NoScript 11.4.8, check out this explanation by @ma1:

https://twitter.com/ma1/status/1557751019945299969

Cross-tab Identity Leak Protection

NoScript’s Cross-tab Identity Leak Protection (or “TabGuard”) is an experimental countermeasure against the Targeted Deanonymization via the Cache Side Channel attack by Mojtaba Zaheri, Yossi Oren and Reza Curtmola, presented at Usenix Security in August 2022.

NoScript's Potential Identity Leak dialog

It is loosely inspired by the Leakuidator+ browser extension proposed by the authors as a defense, but it’s designed to better integrate with Firefox and the Tor Browser and provide protection against variants of the attack not covered yet. When triggered, TabGuard suspends authenticated requests across related tabs and gives the user the ability to either “Load anonymously” (preventing the attack but also logging out from the target site) or “Load normally”, which may be required by some legitimate cross-site workflows such as online payments, single sign-on and 3rd party authentication systems. This protection is enabled by default on any Private Browsing window (and therefore in the Tor Browser), but can be disabled or enabled globally from the NoScript Options>Advanced panel.

Important Note: this feature is still in its infancy, and while effective it might also be disruptive sometimes. Improvements, especially on the user experience side, are coming. Bug reports are welcome as always.

3 Likes

Does this affect people who are pseudo anonymous, by which I mean known as a username but not known as a person

The attack is generally meant to detect that the user is currently logged with some username on a service, not the personal details behind that username (either “real” or pseudo). But as such could be used to link accounts from 2 or more services, increasing the chances to reveal their real identity.

1 Like

This topic was automatically closed 2 hours after the last reply. New replies are no longer allowed.