DHL and Nucleus both use SVGs in their design, which are known to be easily modifiable to deanonymize users not using Tails or Whonix. It is as bad as using javascript and anyone running a DNM should know better.

It is a well known fact that SVGs can be modified to call home, this isn't a bug its a feature. The look up won't happen over tor and denonaymize the user. This has been used to deanonymize people before and it would not be surprising if it was used again.


Comments


[5 Points] VedadoAnonimato:

You mean an image loaded on Tor Browser would be able to access clearnet? Wouldn't that be a security flaw in Tor Browser?


[5 Points] Trappy_Pandora:

The DHL shilling is thick too.


[5 Points] NucleusMarket:

When we were preparing the Nucleus, SVG was not blocked by Tor Browser. Then they discovered a bug in Tor Browser ( https://trac.torproject.org/projects/tor/ticket/16397 ) causing browser crashes and another problems. That is why was SVG blocked until the bug will be resolved. SVG icons are saved directly in HTML and they are only coordinates of individual points. Do you have any sources (articles or discussions) with more informations about this security threat? Thanks.

BTW we are working on a new design with mobile devices support.


[4 Points] CocaineNose:

has bad as using javascript?! I don't know about that. Any write ups on this?


[3 Points] None:

[deleted]


[3 Points] edgy_le_rape:

It is a well known fact

Do you have a source?


[4 Points] culdesacked:

I agree that Scalable Vector Graphics should be avoided. Set the security slider in TBB 5.x to high and it will disable opentype font rendering and inline SVG. Setting it to high should no longer cause crashes, according to: https://trac.torproject.org/projects/tor/ticket/16495


[4 Points] HappySodomy:

So just use tails?


[2 Points] None:

Tails and whonix should be used anyways. But im sure theres tons of people usining insecure OS's


[2 Points] wookiesuit:

Market bashing intensifies.


[1 Points] None:

[deleted]


[1 Points] HeavyDrugConsumer:

Some information on how SVGs can denonaymize users would be really useful for everyone here


[1 Points] None:

Ha. I just saw this after I posted. I was just trying to get on DHL and they're throwing up visible PHP errors instead of failing silently.


[1 Points] sapiententity:

Have you got a link with further details SVGs permitting deanonymisation? Couldn't find anything from some quick searching, and I'm curious to know more as this is the first I've heard of it.


[1 Points] SupaHaxxoor:

hacks4dick is that you?


[1 Points] jolskini:

Let me get this straight, are you implying that all you have to do to deanonymize TBB users ( non-tails/whonix ) including those who disable javascript, is to put a normal exploit-free SVG image on your .onion website?


[1 Points] The_Grid_Is_Up:

He isn't wrong...


[1 Points] REALLYICANTHEARQ3:

So SVG's will denanonymize TBB users but it wont happen over Tor or deanonymize the user, but it has deanonymized users before.

You know mods this is one of those posts where you actually have to do your job.


[0 Points] Kazaa99:

Its gladly NOT a well known fact!

SVG can run event handlers and javascript if enabled. Nothing more. Since Javascript right now doesn't really posses any threat we know of, its pretty far fetched to start fearing simple svg image files.

Its terrible when people who doesn't know much about computers and programming start giving advice in security. It makes to many people scared, and start spreading all sorts of nonsense about what to be afraid of.


[-1 Points] None:

[deleted]