Tails 5.0 Linux users warned against using it “for sensitive information”


Tails developers have warned users to stop using the Debian-based portable Linux distribution until the next release if they enter or access sensitive information using the bundled Tor Browser application.

Tails (short for The Amnesic Incognito Live System) is a Linux distribution focused on protecting the anonymity of users (e.g. activists and journalists) and helping them circumvent censorship by forcing all connections to and from the Internet through the Tor network.

“We recommend that you stop using Tails until the release of version 5.1 (May 31) if you use the Tor browser for sensitive information (passwords, private messages, personal information, etc.)”, warned the Tails developers.

This warning was triggered by two critical zero-day bugs in the Firefox JavaScript engine (tracked as CVE-2022-1802 and CVE-2022-1529), exploited during day one of the Pwn2Own 2022 Vancouver hack contest and fixed by Mozilla two days later.

Although bugs have already been fixed upstream, the developers cannot provide fixes for any of the included applications until the next release, since Tails is a live Linux distribution.

The vulnerabilities allow attackers to access information from other websites visited using the Tor Browser if successfully exploited.

“For example, after visiting a malicious website, an attacker controlling that website can gain access to the password or other sensitive information that you then send to other websites during the same Tails session”, adds the Tails review.

Tails still safe for some users

The Tails developers also explained that the flaws do not affect Tor Browser users when used at the safest level of security, as it automatically disables JavaScript while browsing.

Likewise, Thunderbird users are not impacted because the version that comes with the Tails Linux distribution has JavaScript disabled by default.

Additionally, Tails users who do not use or access sensitive information through the Tor Browser can still use it safely because security vulnerabilities do not break the encryption and anonymity of Tor connections.

“Mozilla is already aware of websites exploiting this vulnerability. This vulnerability will be patched in Tails 5.1 (May 31), but our team does not have the ability to release an emergency release sooner,” the Tails team warned. .


Comments are closed.