A vulnerability was discovered in Toxcore that allows one to learn the IP of a target user by only knowing their Tox Id and without being friends with the target user. The Tox protocol is designed in such a way that only friends (contacts) which you have accepted friend requests of are able to learn your IP based on your Tox Id and no one else. Thus, being able to learn the IP of an owner of a Tox Id without them accepting a friend request is an undesired behavior. This is a vulnerability in an implementation of the Tox protocol, a vulnerability in the Toxcore library, not in the Tox protocol itself. The vulnerability affects both TokTok’s c-toxcore and irungentoo’s toxcore. The vulnerability affects only UDP mode of operation. TCP-only mode is not affected by the vulnerability. TokTok’s c-toxcore has patched the vulnerability in version 0.2.2. irungentoo’s toxcore doesn’t have the vulnerability patched as of this moment and it’s unknown if it ever will, as it hasn’t been actively maintained for years. Additionally it has support for text and audio group chats as well as Identicons. qTox runs on Windows, Linux, MacOS and FreeBSD and offers text messaging, audio and video calls, screen sharing and file transfers. c-toxcore - The future of online communications. qTox is a powerful client based on Qt, with an intuitive and feature rich user interface as well as a fast core written in C++. irungentoo’s toxcore was patched after this post was written. qTox is a chat, voice, video, and file transfer IM client using the encrypted peer-to-peer Tox protocol. The vulnerability was privately reported to us by Evgeny Kurnevsky on April 14th and publicly disclosed with our permission on April 15th, along with a patch fixing the vulnerability, made by Evgeny Kurnevsky. The vulnerability was found when Evgeny was working on tox-rs project – a Tox implementation in Rust. We urge everyone to update to the latest TokTok c-toxcore as soon as possible. Commit hash: 8eed684 toxcore: 0.2.3 Qt: 5.9.6 Reproducible: Always (every time that we tried) Steps to reproduce click on the fullscreen button Observed Beha. You can immediately mitigate the vulnerability for yourself by using TCP-only mode.ĭue to the nature of the vulnerability, using Toxcore in which the vulnerability is patched is not enough to protect yourself. Brief Description OS: Windows 7 Ultimate, Service Pack 1 qTox version: v1.16.3. qtox-git (requires toxcore) ratox-git (requires toxcore) telepathy-poison-git (requires toxcore). The way the patch works is that it can’t protect you from the vulnerability but it can and does protect other peers. Package Details: toxcore-git 0.2.18.r36.g172f279dc-2. So in order to be protected from the vulnerability, everyone should switch to using the patched Toxcore. The more people use the patched Toxcore, the less is the chance to be vulnerable. Note that this applies only to the UDP mode. If you use the TCP-only mode, you are fully protected as you are not affected by the vulnerability. Here are the technical details of the vulnerability. It also contains miscellaneous dependency updates for Windows, flatpak, and macOS. All Windows, macOS, Flatpak, and AppImage users should update. The vulnerability is caused by the Onion module of Toxcore erroneously allowing to onion-route any data, any Tox packets, without a restriction. It contains a fix for the toxcore vulnerability CVE-2021-44847. 4.1, qTox 2 is the most popular client for the Tox protocol and it is. By the Tox protocol specification, when Alice makes an onion-routed request to Bob and then Bob sends an onion-routed response back to Alice, the payload of the onion-routed response sent by Bob arrives to Alice as it is, stripped of any identification that it was ever onion-routed by the last onion hop, and is interpreted as a regular Tox packet by Alice. project at /TokTok ( /TokTok/c-toxcore) and a. Alice has no way to distinguish onion and non-onion packets - she has no idea if the packet originated from the node it received the packet from, or if the packet was relayed on someone else’s behalf as part of an onion-routing. address let a = newEchoBot "alice" b = newEchoBot "bob" while true : iterate a. bootstrap ( bootstrapHost, bootstrapKey ) echo result. statusMessage = $ echoCount & " echos served " proc newEchoBot ( name : string ): Bot = result = Bot ( tox : initTox ()) result. send ( f, msg, kind ) inc echoCount bot. onFriendMessage do ( f : Friend msg : string kind : MessageType ): discard bot. onFriendRequest do ( pk : PublicKey msg : string ): discard bot. toPublicKey type Bot = ref object tox : Tox proc setupCallbacks ( bot : Bot ) = var echoCount = 0 # bind a value for callback closure magic bot.
0 Comments
Leave a Reply. |