Tails 5.0 Linux users warned against using it "for sensitive information"

Tails developers have warned users to stop using the portable Debian-based Linux distro until the next release if they're entering or accessing sensitive information using the bundled Tor Browser application.

Tails (short for The Amnesic Incognito Live System) is a Linux distro focused on protecting the users' anonymity (e.g., activists and journalists) and helping them circumvent censorship by forcing all connections to and from the Internet through the Tor network.

"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the Tails developers warned.

This warning was prompted by two critical zero-day bugs in the Firefox JavaScript engine (tracked as CVE-2022-1802 and CVE-2022-1529), exploited during the first day of the Pwn2Own 2022 Vancouver hacking contest and patched by Mozilla two days later.

While the bugs have already been patched upstream, the developers cannot deliver patches for any of the included apps until the next release, given that Tails is a live Linux distro.

The vulnerabilities enable attackers to access info from other websites visited using Tor Browser if successfully exploited.

"For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session," the Tails advisory adds.

Tails still safe for some users

The Tails devs also explained that the flaws do not affect Tor Browser users when used on the Safest security level because it automatically disabled JavaScript while browsing.

Likewise, Thunderbird users are not impacted because the version bundled with the Tails Linux distro has JavaScript disabled by default.

Additionally, Tails users who don't use or access sensitive information through the Tor Browser can still use it safely since the security flaws don't break the encryption and anonymity of Tor connections.

"Mozilla is aware of websites exploiting this vulnerability already. This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier," the Tails team warned.