The developers of the popular Tails OS (operating system) are warning its users to cease use of their tool due to privacy concerns after the discovery of a prototype pollution vulnerability.
“We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).” The Tails Developers stated in a blog post on May 24.
Tails is short for “The Amnesic Incognito Live System” which is a Debian-based Linux distribution focused on protecting users’ anonymity (e.g. activists and journalists). The main feature of Tails is it allows anyone to circumvent censorship by routing all internet traffic through the Tor network.
This warning was given by the Tails team due to two critical zero-day exploits in the Firefox JavaScript engine. These zero-days are being tracked under CVE codes CVE-2022-1802 and CVE-2022-1529. They were originally used on the first day of the Pwn2Own 2022 Vancouver hacking contest. These exploits were patched by Mozilla two days later.
While the exploits have been patched, the developers are unable to deliver patches for any of the included apps within Tails due to Tails being a live Linux distro. A live Linux Distro is a Linux operating system that runs completely from RAM. This allows you to run a full instance of the operating system (from either CD/DVD or USB) without making changes to your current system.
These vulnerabilities allow attackers to access info from other websites visited while using the Tor Bowser.
“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session,” the Tails blog post adds.
What is the Tails OS used for?
The Tails OS is predominantly utilized against online surveillance and prevents third-party tracking from companies such as Google and Facebook. The operating system also forces all traffic through the Tor network. The Tor network is a powerful anti-surveillance network built around an encrypted peer-to-peer (P2) network which protects users against traffic analysis as well as having the ability to circumvent censorship put into place by governments or your internet service providers.
Tails OS Vulnerability Workaround
The Tails developers explained that the flaws do not affect Tor Browser users on the safest security level because JavaScript is completely disabled with that level while browsing.
Thunderbird which is also packaged with the Tails OS is not impacted as JavaScript is disabled by default.
Additionally, individuals that use Tails to access information that isn’t sensitive via the Tor Browser will be able to use it safely as the security weaknesses don’t break the encryption and privacy of the Tor peer-to-peer network.
“Mozilla is aware of websites exploiting this vulnerability already. This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn’t have the capacity to publish an emergency release earlier,” the Tails team warned in the blog post.