Tor Exploitation
July 15th, 2025
Overview
The purpose of this is to highlight Tor vulnerabilities when understanding Operational Security and protecting your privacy. This does not mean Tor is flawed, in fact, it is one of the best privacy-oriented applications available for users that also have minimal security vulnerabilities, it is important, however, to assess any mistakes that a user can make when using Tor and the precautions needed to prevent any mistakes as well as understanding how to properly secure and use Tor.
Background
Tor (also known as The Onion Router) is a project designed for anonymous internet access through a network of volunteer-operated relays (better known as nodes).
Originally created by the United States Naval Research Laboratory in 1995, this aimed at aiding secure online communication that would prevent tracking and surveillance for the United States Government and its allies. However, in 2002 the project would be released to the public with its source code publicly available, this allowed for a wide influx of users, programmers and the addition of volunteer nodes for the project.
The Tor project would then evolve over the years from just a simple Tor proxy, to its infamous Tor browser which would aid multiple events such as the 2011 Arab Spring as well as the concern of privacy after the 2013 Edward Snowden NSA leaks. As of 2025, there are over 700 available Tor nodes.
Protection
The Tor network current utilizes a chain of nodes to provide online anonymity to both the visitor and the provider (in the case of Onion Services). These nodes are simply Tor clients configured to act as a router for other clients in order to provide more to the network. By default tor clients send traffic through a circuit of 3 relays before reaching an intended destination.
Tor clients encrypt all their traffic so that 'routers' only know 2 things; where the traffic came from and where its next stop will be. Each relay in the circuit is encrypted using a different key for each layer of encryption. As the client request goes through the relays, one layer of encryption is stripped off before being forwarded to the next destination. This will repeat until the last relay ensuring any 'middle-man' relays are unable to few the data other than encrypted ciphertext.
There are 3 kinds of Tor servers; non-exit relays, exit relays, and bridges. Both non-exit and exit relays are publicly available for anyone to see and map. An exit-relay is configured to also act as the exit point for traffic as it leaves the tor network, a bridge, however, is not entirely publicly listed. This allows users in more censored environments to access the tor network via unpublished IP Addresses.
Onion Services
Tor employs anonymity to websites and other servers running on the Onion Network, servers can be configured to only allow inbound connections through onion links. Onion Networks can hide a webserver's IP Address and instead use an Onion Service to access it through its Onion Address.
The Tor Network responds by looking up their corresponding public keys from a distributed hash table within a network. It can route data to and from onion services even those behind firewalls or NATs (Private IP --> Public IP), while preserving the anonymity of both parties. In addition to this, the connection never leaves the Tor network, ensuring the connection is always end-to-end encrypted.
Onion services have become increasing popular with many famous websites such as Twitter, Facebook, Reddit, The New York Times, etc. Having their own webservers running on an onion service.
Although Tor was designed with the intention of minimizing censorship and promoting OPSEC and anonymity, many features such as onion services allow for illegal content to be hosted on .onion links. Although not every website on Tor is illegal, just like the Clearnet, malicious actors will take this as an opportunity to host and share dangerous and illegal content.
Attacks and Limitations
As such with all software, everything has limitations to its protection, and Tor is indifferent. Although exploits directed towards Tor are rare, many other actions such as user error, social engineering and simple mistakes can detriment a user's anonymity.
ROS Reports
According to the 2023 Radically Open Security report, the Tor Project initiated multiple penetration tests on the Tor browser, scanner, and network, which resulted in 17 confirmed vulnerabilities with 2 of unknown severity.
Tor's Onion Bandwidth Scanner (onbasca) suffered a major Cross-Site Request Forgery (CSRF) vulnerability via HTTP GET. CSRF relies on a web application's 'trust' to execute actions that can either change information (such as their email or bank information) to completely de-anonymizing the user. this can be sent through a malicious link which, when clicked, can change settings to a website they are already logged into, it can be a JavaScript Injection (through an ad, or an XSS vulnerability), HTML5 images or malicious forms in a webpage.
Common Methods for Sending CSRF Attacks
GET Requests: CSRF Attacks can be trigged through simple HTTP GET Requests through URL parameters. For example:
<img src="http://vulnerablewebsite.com/change-password?newpassword=maliciouspassword" />POST Requests: If a website requires a POST request to perform an action (ex: send data to a server through a form), the attacker can embed a hidden form and auto-submit it. For example:
<form action="http://vulnerablewebsite.com/change-password" method="POST">
<input type="hidden" name="newpassword" value="maliciouspassword">
<input type="submit" style="display:none;">
</form>
<script>
document.forms[0].submit();
</script>JavaScript: One of the biggest enemies of Tor, although blocked by default using a less safe setting can enable JavaScript websites, and can be used to send unknown JavaScript Requests to a victim in combination with other vulnerabilities.
var img = new Image();
img.src = "http://vulnerablewebsite.com/transfer?amount=1000&to=attacker";EverCookie
Originally developed by Samy Kamkar, Evercookie (Also known as SuperCookie) is an open-source JavaScript API that reproduces deleted cookies on a user's browser storage. A HTTP web cookie is used to store information about a user. When a user first visits a website, the webserver creates a unique identifier and stores it inside the user's browser or local space, this can be used as a "remembrance" for the website, saving all information such as login details, website preferences and marketing advertisements.
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: yummy_cookie=chocolate
Set-Cookie: tasty_cookie=strawberry
[page content]The follow HTTP code block is the inital creation of a cookie when a user first visits a website.
GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=chocolate; tasty_cookie=strawberryOnce a user has visited a site, the cookies are made persistent and are stored inside the browser until the user re-visits a site. This is why when you open Youtube or log into your Password Manager, you are not treated as a new user, you recommendations are there, and there is no login prompt to enter.
Cookies can easily be made using an HTTP header, many websites by default do not delete cookies and have tried many options to ensure a user's cookies are not deletes either through the use of flash cookies, ETags or EverCookie.
Rather than just storing in the browser or only a few storage containers, Evercookie was able to replace deleted HTTP Cookies into over 17 storage mechanisms, although a user could still delete some cookies, a large bundle would still be available to track the user. This was later brought to light after the 2013 NSA leaks, which prompted the use of Evercookie in de-anonymizing users using Tor either through some cookies not being fully deleted, or tracking users' cookies outside of Tor.
Tor Stinks
Tor Stinks is a leaked NSA project focusing on de-anonymizing Tor users. There are many methods to capture Tor users from cookie leakage as discussed above to human error and exit node vulnerabilities.
Circuit Reconstruction
Circuit Reconstruction uses the information from government surveillance Tor Nodes (specific exit nodes under government control) to try and un-mask the user. Most Tor nodes are not under full government control, however this has been an expanding operation.
Node Lifespan
Knowing when a specific IP is a Tor node rather than if it's a Tor node. This detection is done once an hour by the NTOC using a tool known as 'RONIN' to enhance the efficiency of the scans.
Timing Pattern
Sending packets back to clients that are detectable through passive attacks to find a client's IP for Tor users. This can be through sniffing, eavesdropping, traffic analysis, etc.
Shaping
direct target computers to 'friendly' exit nodes, as well as using a separate 'private' Tor network. Stain their traffic or instruct target computer to use a service that connect outside of Tor (reveals true IP)
Human Errors
Probably the biggest vulnerability when it comes to using Tor is human error. Whether that be not using proper OPSEC principles, clicking malicious links, or just stupidity, these can all change the privacy one has, something Tor cannot safe you from.
OPSEC Failures
the most important topic in protecting your privacy is Operational Security. This is the backbone for combatting unwanted surveillance and keeping yourself safe from external threats. Using FOSS (Free and Open-Source Software) with projects such as Tor, TailsOS, VeraCrypt, PGP, Monero can help cement greater security if something were to ever happen. It is also important to stay up-to-date with the latest Cyber news with outlets such as HackerNews presenting great articles about newly found threats.
Last updated