information disclosure: is a given email subscribing to any relay? (and which one?)
The tor weather website can be used by an attacker to find out wheater a certain email address is:
- subscribed to any relay
- including which relay exactly (if any)
Since subscribers are usually the operators of the given relays this can be used to find operators of relays for further targetet attacks.
This weakness is only relevant for relays where the operator choose to use a separate email address or an empty contact info (to avoid linking his identity with a relay publicly).
Reproducer: send subscribe requests via https://weather.torproject.org/subscribe/
as soon as you get, you can tell that you found one:
Tor Weather - Oops!
You are already subscribed to receive email alerts about the node you specified.
fix: easy: The response to the subscribe request should always look the same. Don't send out an email in case the email was subscribed already.
more user friendly: The response to the subscribe request should always look the same.
- Send out an email that tells the supposed subscriber that he is actually already subscribed.