A default configuration used by the Apache http server has been discovered as vulnerable to uncovering the identity of Tor users.
The Apache server's mod_status page displays uptime, resource usage, and active HTTP requests statistics – and is only accessible from localhost. This settling was selected to enhance the security of mod_status, but Tor relay uses localhost as a web proxy to ensure that users' location information remains private.
Tor users who do not disable the Apache mod_status configuration could have their server-status exposed, which would allow an attacker to surveil sensitive requests, and could be used to determine the IP address of Tor users.
Last month, Facebook integrated Orbot, a proxy application that helps mobile users access the Tor network on Android phones, into its release of Facebook Android. Orbot was created by the Guardian Project, an open-source software project. The Tor Browser's lead developer Mike Perry said in December that the Tor Project will launch a bug bounty program in 2016.
The Apache Software Foundation and Tor network did not reply to requests from SCMagazine.com seeking comment about the default configuration.