Invisible Chat Participant

onionshare-cli allows invisible chat participants. Any user public or authenticated is able to send chats without being visible in the chat list due to lack of secure validation of active users in a chat environment session...

User Impersonation

onionsharecli is vulnerable to user impersonation. An attacker with access to the chat environment is able to update the name string to that of another user by appending a space character at the end of it, allowing to impersonate other participants...

Improper Access Control in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. - Vulnerability ID: OTF-003 - Vulnerability type: Improper Access Control - Threa...

Username spoofing in OnionShare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. - Vulnerability ID: OTF-005 - Vulnerability type: Improper Input Sanitization -...

CVE-2022-21696 Username spoofing in OnionShare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions it is possible to change the username to that of another chat participant with an additional space character at the end of the nam...