The platform behind the anonymous tip-off services used by a number of major media outlets contains a software flaw that potentially allows unauthorised access.
Overnight, a group calling itself “Elliptic TAO Team” revealed what it termed “several critical vulnerabilities” in the SecureDrop whistleblowing software, which is used by The Guardian, Washington Post, The Intercept and The New Yorker, among others. The flaw was later confirmed by a SecureDrop developer, who said the flaw wasn’t as extensive as claimed.
SecureDrop is an open-source anonymous document drop and communication interface initially developed by the late Aaron Swartz and now run by the Freedom of the Press Foundation. In its release, the Elliptic TAO Team claimed that a vulnerability would allow someone to create fake users and access other users’ accounts, including accessing their documents and interacting with sources under the guise of legitimate account holders.
SecureDrop’s lead developer confirmed the vulnerability but said a key authorisation cookie was still required to enable the bug to deliver the results claimed, and even with the cookie, intruders would be unable to access documents sent to other journalists. The bug was created when the development team updated the software to address a bug identified in a security audit, but the update itself wasn’t audited prior to being rolled out. A fix is urgently being rolled out at the moment.
The safety of leaking to the press is a vexing issue for media companies in light of Edward Snowden’s revelations about how pervasive National Security Agency and “5 Eyes” internet and communications surveillance is across the world. The issue is particularly prominent in Australia currently, after legislation for the government’s mass surveillance scheme, including “protections” for journalists, passed parliament last week. The Australian Financial Review‘s Laura Tingle received a drubbing from online security specialists and some journalists for an article telling potential whistleblowers to use Skype or offshore-based email services. Journalists have been arguing among themselves about security for sources, particularly those who deal with government leakers who are more likely to be pursued by the Australian Federal Police.
Systems like SecureDrop are intended to solve the problem to the extent it can be, by providing a secure, anonymous interface between journalists and sources that can’t be accessed by security agencies via legal or extra-legal means, which is why a potential vulnerability in the platform is so concerning.
For potential sources who really are concerned about their vulnerability, there’s a how-to from the oldest leak site, Cryptome.org, but it’s not for the faint-hearted. And all sources should understand that between human and IT vulnerabilities, there’s no such thing as safe leaking, you can only ever minimise risk, not eliminate it.