Research potential for deanonymization by a compromised "amnesia" user
We already deny access to the Tor control port from the “amnesia” user. Still, there are possibly other ways, for a compromised “amnesia” user, to deanonymize the Tails user, e.g.:
- taking control of Vidalia (that is running as a dedicated user, but inside a X session controlled by the “amnesia” one), and using its access to the Tor control port; e.g. a selection of bridges picked by the attacker is probably enough to deanonymize the user.
- using NetworkManager, e.g. to get a list of Wi-Fi access points around
|Bug #15635: The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction||Confirmed||
|Related to Tails - Feature #6549: Prevent MAC address leak for non-root users||Confirmed||2013-12-29|
Related to Tails -
Has duplicate Tails -
#15 Updated by cypherpunks 2018-06-04 04:14:06
I opened Bug #15635 with a PoC utilizing X11 and the Unsafe Browser. I also think there’s a rather big risk to allowing unrestricted access to RFC 1918 (local) addresses, since router vulnerabilities that require an attacker positioned on the LAN are absolutely ubiquitous and access to the router itself can fully deanonymize a Tails user.