Invizible v2.5.4 beta security issue2025-07-21
I was reviewing through some projects yesterday and noticed this commit in Invizible. This change deletes the Tor state file on Tor connection failure. However this state file stores the list of chosen guards to make guard selection attacks harder. This could allow a network attacker to easily force a client onto specific guard nodes. After some back and forth @Gedsh reverted the commit. It only affects this sole beta version.
Comment on this: Fediverse