While implementing tox in rust we've found vulnerability in onion module.
Currently onion module allows to send any byte sequence through onion path. It can lead to possibility to bypass onion and get IP address (and friends list eventually) knowing only long term public key.
Let's say Alice announces herself to Bob sending AnnounceRequest packet through onion path. After announcement Bob knows Alice's long term public key and onion return addresses to send packets back to Alice. But Bob doesn't know IP address of Alice and want to find it out. All he needs to do is send NAT ping request with his own DHT public key to Alice through onion path using onion return addresses he knows. If Bob is lucky enough to have close DHT public key to Alice's key Alice will redirect this ping request directly to Bob. After receiving his own request Bob will know IP address of Alice.
Now, if somewone want to know somebody's IP address he can generate DHT key close enough to long term public key, wait for announce request, run many DHT nodes and send pings to them one by one.
So I suggest to restrict packet kinds that can be sent through onion path: #872
I also monitored tox network through several DHT nodes and didn't notice anything other than onion announce/data packets is sent through onion. So this change shouldn't break anything.
The text was updated successfully, but these errors were encountered: