CVE-2023-36325

i2p before 2.3.0 Java allows de-anonymizing the public IPv4 and IPv6 addresses of i2p hidden services aka eepsites via a correlation attack across the IPv4 and IPv6 addresses that occurs when a tunneled, replayed message has a behavior discrepancy it may be dropped, or may result in a Wrong...

CVE-2023-36325

Removed by vendor...

BIT-MEDIAWIKI-2023-29137

An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users...

CVE-2023-29137

An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users...

CVE-2023-29137

An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users...

CVE-2023-29137

An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. The UserImpactHandler for GrowthExperiments inadvertently returns the timezone preference for arbitrary users, which can be used to de-anonymize users...

Moodle Reveals Student Information Meant To Be Anonymous

The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by 1 using a screen reader or 2 reading the HTML source...

Researchers Uncover Novel Way to De-anonymize Device IDs to Users' Biometrics

Researchers have uncovered a potential means to profile and track online users using a novel approach that combines device identifiers with their biometric information. The details come from a newly published research titled "Nowhere to Hide: Cross-modal Identity Leakage between Biometrics and...

DOJ Dismisses Playpen Case to Keep Tor Hack Private

Intent on keeping details private about how it hacked the Tor browser, prosecutors with the U.S. Department of Justice on Friday asked to dismiss a case involving a suspect who visited the Playpen dark web child pornography site in 2015. “The government must now choose between disclosure of...

Mozilla Patches Firefox Zero Day Used to Unmask Tor Browser Users

As expected, Mozilla released a new version of Firefox on Wednesday to address a zero-day vulnerability that was actively being exploited to de-anonymize Tor Browser users. The vulnerability, disclosed on a public Tor Project mailing list late Tuesday night, forced the Tor Project to also issue a...

Tor Patched Against Zero Day Under Attack

Update The Tor Project has provided a browser update that patches a zero-day vulnerability being exploited in the wild to de-anonymize Tor users. “The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of...

Tor: FBI Paid CMU $1 Million to De-Anonymize Users

More than a year ago, the Tor Project patched its software against a vulnerability being exploited by researchers at Carnegie Mellon University, it said, for the purpose of de-anonymizing users of Tor hidden services. Yesterday, Tor Project director Roger Dingledine accused the prominent Pittsbur...

HackerOne: HackerOne Private Programs users disclosure and de-anonymous-ize

Hi HackerOne Team, I have found a bug in HackerOne Platform allows any attacker to deanonymousize any security researcher using the platform and the most wild usage is to disclose some information about this security researcher if he is invited to a private program or not. Unfortunately HackerOne...

New Timing Attack Could De-Anonymize Google Users

A new timing attack has been disclosed that could de-anonymize Google users under particular conditions. Google acknowledged the issue to researcher Andrew Cantino, the vice president of engineering at Mavenlink, but told him it would not address the issue because the risk is low. “I agree that...

Attackers Compromise TOR Network to De-Anonymize Users of Hidden Services

A critical vulnerability in Tor — an encrypted anonymizing network considered to be one of the most privacy oriented service, which is used by online users in order to hide their activities from law enforcement, government censors and others — was probably being used to de-anonymize the identity ...

Secret: ClientId gives away platform (iOS/Android) from which a secret was posted.

In /stream API request each post contains a property named "ClientId". I suppose it's generated by client applications when user is posting a secret. It seems that iOS and Android applications generate this string quite differently: xLfLHR six random characters — iOS...