OnionScan Report: This One Weird Trick Can Reveal Information from 25% of the Dark Web

Welcome to the seventh OnionScan Report. The aim of these reports is to provide an accurate and up-to-date analysis of how anonymity networks are being used in the real world.

In this report we will examine how a small change to a regular HTTP request can reveal information, and sometimes deanonymize a large number of hidden services.

Summary

Over a quarter of hidden services hosted on the Tor network are vulnerable to Hostname Hacking (compared to 7% vulnerable to mod_status leaks) - for many this simply reveals co-hosted sites however for a smaller subset, this means deanonymization.

A Note on Numbers

The lifespan of an onion service can range from minutes to years. When providing generalised numbers, especially percentages, we report approximate figures based on multiple scans over a period of time, rather than a single snapshot.

25% of Onions are Vulnerable to Hostname Hacking

We recently talked about Hostname Hacking a technique that exploits misconfigured virtual hosts on a web server to trick a hidden service into reveal some more information about itself.

We have scanned 15,000 onion domains (of which just over 11000 were online consistently enough to be queried).

During these tests we simply replaced the Host: HTTP header with localhost instead of the sites onion domain. We then compared the responses of the normal Host and the hacked Host.

This modification is not enough to fully exploit the site in many cases, but a difference in response tells us that virtual hosts are unlikely to be configured correctly. (It is worth noting that even an error condition can be enough to reveal information - sometimes servers print their real IP address in server error pages, sometimes a common error condition is enough to link servers.)

We found over ~2800 sites that responded differently to regular Host compared to the hacked Host. This indicates that over 25% of hidden services are vulnerable to this technique.

However, ~1400 (~50%) of these are all from the large FreedomHosting II hosting provider. Which defaults to a Double You Bitcoin scam when you request Host:localhost.

When we remove FHII hosted sites from our figures we still find over 12% of online hidden services have this vulnerability.

Unlike Apache mod_status leaks, hostname hacking affects all major web servers including nginx & lighttpd. This means that hostname hacking vulnerabilities are far more pervasive (~12% of all non FHII sites) than mod_status leaks are (~7% of all sites).

One Weird Trick - Multiple Possibilities

We have only talked about hostname hacking as a way to detect co-hosting - however, further analysis has revealed a couple more interesting uses:

  • Certain configured servers won't expose /server-status over a regular Host: abcdefghijklmnop.onion request but will expose it over the Host: localhost request.
  • Badly configured services will expose emails, IP addresses and more over error pages caused by the a bad Host parameter that they would not in other contexts.
  • A large number of sites vulnerable to hostname hacking reveal an open directory file listing, or an otherwise personal site, on a Host: localhost request - this indicates that many are co-mingling personal data with anonymous sites, a very bad practice.

Other HTTP Headers

We found it wasn't just then Host parameter - other sites expect the existence of other Tor Browser default HTTP headers and will act differently if they are not available - one of the most stark examples we found was a web hosting provider where all sites would show the same (custom) error if the Accept-Encoding: gzip, deflate header was not sent. This kind of bot detection is not only useless, it actually compromises all the sites that are co-hosted by the provider.

Other OnionScan News

Get Involved

If you would like to help please read Sarah's post OnionScan: What's New and What's Next for some great starting off points. You can also email Sarah (see her profile for contact information).

If you would like to support further research and development of tools like OnionScan you can become a patron at Patreon

Goals for the OnionScan Project

  • Increase the number of scanned onion services - We have so far only successfully scanned ~6500 (out of ~12,000 domains scanned).
  • Increase the number of protocols scanned. OnionScan currently supports light analysis for HTTP(S), SSH, FTP & SMTP and detection for Bitcoin, IRC, XMPP and a few other protocols - we want to grow this list, as well as provide deeper analysis on all protocols.
  • Develop a standard for classifying onion services that can be used for crime analysis as well as an expanded analysis of usage from political activism to instant messaging.