The Tails operating system is one of the most trusted platforms in cryptography, favored by Edward Snowden and booted up more than 11,000 times per day in May. But according to the security firm Exodus Intelligence, the program may not be as secure as many thought. The company says they've discovered an undisclosed vulnerability that will let attackers deanonymize Tails computers and even execute code remotely, potentially exposing users to malware attacks. Exodus is currently working with Tails to patch the bug, and expects to hand over a full report on the exploit next week.
"You can't trust any of these systems 100 percent."
"We're hesitant to release any technical details because we don't want anyone to be able to reproduce [the exploit]," Exodus co-founder Aaron Portnoy told The Verge. After announcing the discovery in a tweet yesterday, the company has promised to withhold the details of the bug until it is successfully patched, a process that could take months. Exodus sells undisclosed vulnerabilities as part of its business, but because of Tails' activist user base and the extreme privacy concerns, Portnoy says they disclosed the bug to Tails developers free of charge. "We were just trying to let everyone know, you can't trust any of these systems 100 percent," Portnoy says.
In response, the Tails developers stressed the constantly updating nature of the project, and the abruptness of Exodus's disclosure. "We were not contacted by Exodus Intel prior to their tweet," the development team said in a blog post. "In fact, a more irritated version of this text was ready when we finally received an email from them." It's still unclear which aspect of the software is vulnerable, and it may prove to be a plug-in application like Claws Mail or Pidgin that was developed separately from Tails itself. But until the bug is patched and published, it will be hard to say for sure. "We're really looking forward to reading this report," the developers said