Developers disable installation of new plugins as a precaution

Jul 28, 2014 22:05 GMT  ·  By

Following the announcement from vulnerability broker Exodus Intelligence about flawed components in Tails operating system enabling de-anonymization of a client, developers of the I2P networking tool have fixed the glitches on their end.

They also disabled some of the advanced configuration options, such as the installation of new plugins. The measure has been implemented until an additional assessment of the tool is completed, in order to make sure that there are no loose ends that could compromise the identity of the user.

I2P provides a simple network layer for anonymous communication between applications. All traffic is encrypted end-to-end, relying on four layers of encryption upon sending a message.

The new release, 0.9.14, integrates critical repairs for cross-site-scripting (XSS) and remote execution vulnerabilities that have been privately disclosed to the developers by researchers at Exodus Intelligence.

“The release also contains several bug fixes in i2ptunnel, i2psnark, and other areas, and updates to the latest Jetty, Tomcat, and Wrapper. We've also implemented a faster and more secure method for reseeding,” write the developers in the changelog.

The list of security fixes includes disabling the option to change the news feed link from the user interface, as well as the one that allowed setting unsigned update URL from UI.

Users also have to upgrade I2P-Bote to build 0.2.10 because the library changes in the network tool break compatibility with the new release. However, this action should be initiated automatically as soon as the router component starts.

I2P is used in several products, including Tails (The Amnesic Incognito Live System), which is used to access the web and communicate anonymously.

At the moment, the updated release of the networking tool has not been added to the operating system, making it vulnerable to de-anonymization of the users, as demonstrated in a video by the Exodus team.

There are certain pre-requisites for an attacker to be able to learn the identity of a user, and one of them is to have the possibility to modify the content of the website visited by the victim with TOR Browser; this is not too difficult to achieve, according to the maintainers of Tails.

The second condition is to know the actual vulnerability and how to exploit it. The researchers at Exodus did not disclose any of this information to the public and said they would work with Tails developers to solve the issue.

As temporary solutions for mitigating the de-anonymization risk, they recommend not starting I2P in versions 1.1 and earlier of the operating system. If it is necessary to use the vulnerable I2P, it is recommended to disable JavaScript completely in Tor Browser; NoScript add-on can help with this.