A default configuration used by the Apache http server has been discovered as vulnerable to uncovering the identity of Tor users.
The Apache server's mod_status page displays uptime, resource usage, and active HTTP requests statistics – and is only accessible from localhost. This settling was selected to enhance the security of mod_status, but Tor relay uses localhost as a web proxy to ensure that users' location information remains private.
Tor users who do not disable the Apache mod_status configuration could have their server-status exposed, which would allow an attacker to surveil sensitive requests, and could be used to determine the IP address of Tor users.
The configuration has been known to experienced Tor users as the Tor Project message board showed, but was highlighted in a recent blog post by an anonymous computer science student.
Last month, Facebook integrated Orbot, a proxy application that helps mobile users access the Tor network on Android phones, into its release of Facebook Android. Orbot was created by the Guardian Project, an open-source software project. The Tor Browser's lead developer Mike Perry said in December that the Tor Project will launch a bug bounty program in 2016.
The Apache Software Foundation and Tor network did not reply to requests from SCMagazine.com seeking comment about the default configuration.