Minor breach allowed unauthorized editing on the main page

Jun 30, 2014 11:25 GMT  ·  By

Over the weekend, the official website for Tails live operating system has been defaced by someone who claims to have done it by accident.

The deed appears to have been carried out as a result of an accident and no profanities or malicious messages were plastered on the main page. The content on the main page (a description of the OS) was simply changed with a message from the “hacker.”

He signed the message as “Sum guy” and claimed to be a 17-year-old. The text also contained an apology for the inconvenience created and the hope that a backup was available.

“You has been haxoredeszed by sum dumb 17 year old by accident... Sorry about that please forgive me! I accidentally logged myself in as someone important and changed the site, not knowing that what I was changing would save! So sorry about that... I hope you have a backup, Oh and btw I love your OS! Yours sincerely, Sum guy,” reads the message.

Tails is a live operating system bent on protecting the privacy and anonymity of the user by using cryptographic tools for encrypting files, emails and instant messages, and by running all Internet connections through the TOR network.

The operating system is based on Debian and can be launched from a USB stick on most computers. It does not store any data on the machine, unless the user explicitly instructs it to do so.

Because of its powerful anonymity features, Tails OS has been used by Edward Snowden to communicate with journalists about the NSA documents.

Provided the privacy-preserving capabilities of Tails, some may think that this attack might have corrupted the image files of the operating systems.

We contacted the Tails developers and it appears that the incident was possible because of a username with special privileges for the wiki application used for the website.

The “admin” ikiwiki user either had a weak password or it was never created and “Sum guy” managed to register it. The developers fixed the issue and that username can no longer be used to modify the page.

Furthermore, there is no reason to worry about the tampered files being offered because they are signed with an OpenPGP key that certifies the integrity of the downloaded image.

As such, it does not matter where the Tails ISO image is downloaded from as long as it matches the signature. A complete guide to verifying the authenticity of the downloaded file, on both Linux and other operating systems, is available on the website.

The developers of Tails remain shrouded in mystery because, just like in the case of TrueCrypt, there are no details about their identity.