![]() The vulnerability was privately reported to us by Evgeny Kurnevsky on April 14th and publicly disclosed with our permission on April 15th, along with a patch fixing the vulnerability, made by Evgeny Kurnevsky. irungentoo’s toxcore was patched after this post was written. irungentoo’s toxcore doesn’t have the vulnerability patched as of this moment and it’s unknown if it ever will, as it hasn’t been actively maintained for years. TokTok’s c-toxcore has patched the vulnerability in version 0.2.2. TCP-only mode is not affected by the vulnerability. The vulnerability affects only UDP mode of operation. The vulnerability affects both TokTok’s c-toxcore and irungentoo’s toxcore. This is a vulnerability in an implementation of the Tox protocol, a vulnerability in the Toxcore library, not in the Tox protocol itself. Thus, being able to learn the IP of an owner of a Tox Id without them accepting a friend request is an undesired behavior. The Tox protocol is designed in such a way that only friends (contacts) which you have accepted friend requests of are able to learn your IP based on your Tox Id and no one else. ![]() I look forward to seeing where we can take it as it continues to improve.A vulnerability was discovered in Toxcore that allows one to learn the IP of a target user by only knowing their Tox Id and without being friends with the target user. Thanks to the donor, and the entire tox community for sticking with the project all these years. As time passes, more accurate updates will be posted here. My end date won’t be earlier than late September 2022, but may be later. PRs won’t be kicking around for months, issues will get prompt replies, and I’ll be around to bounce ideas off of. QTox development was in a bit of a lull before this, but now is a great time to get involved and contribute. This is still an accurate idea of what I’ll aim for in the year. We don’t have a project manager, and have fewer developers than initially planned, so some things that end up being more work than expected will be deprioritized. Realistically there’s endless work that can be done to make qTox and tox in general as featureful and polished as mainstream chats, with the added challenge of being distributed. There are endless more ideas if I run out of things to work on.
0 Comments
Leave a Reply. |