Researchers find serious flaw in I2P, an anonymizing layer used in “amnesic” OS Tails

Security outfit Exodus Intelligence has found a serious flaw in the I2P anonymizing network layer, which is a feature found in the privacy-focused Tails Linux distribution. It’s not a vulnerability in Tails itself, as some have interpreted it — particularly as I2P isn’t turned on by default in the live OS.
Tails (The Amnesic Incognito Live System) is a Linux distribution that’s designed to run from a DVD, SD card or USB stick, with all outgoing connections going through the Tor anonymizing network. It comes heavily recommended by Edward Snowden and the Tor folks, who created it. I2P (the Invisible Internet Project), which is available for other platforms too, is an anonymizing layer that can be used by applications for secure communications — within Tails it acts as an alternative to Tor, suitable for certain use-cases.
Exodus is a security research firm that sells vulnerabilities that it finds (though it gives information on those vulnerabilities to the affected companies and projects for free). The outfit caused conniptions a few days ago when it said it had found “zero-day” vulnerabilities relating to Tails – “zero days” are flaws that those who produce the flawed software don’t know about yet. Exodus VP Aaron Portnoy subsequently referred to a “Tails 0day” on Twitter(s twtr).
However, an Exodus blog post on Wednesday cleared things up somewhat, stating that the vulnerability “affects the popular Tails operating system.” I2P, the firm explained, is mostly used by Tails users, because it’s bundled with the live OS. Exodus included a video demonstration showing the exploit in action, but said it would only present technical details once the Tails team has patched its distribution.
The exploit is a cross-site scripting attack that can effectively de-anonymize the user. This is obviously serious given the purpose of I2P, but again, I2P isn’t turned on by default (because of zero-day fears). In addition, as the I2P team pointed out, disabling JavaScript will also mitigate attacks.
As it happens, version 1.1 of Tails came out on Tuesday. Users, who are generally journalists or activists in nastier corners of the globe, are strongly advised to upgrade due to “several security holes” in the preceding version.