A flaw in an anti-surveillance operating system makes it possible to reveal users’ IP addresses, which are meant to be hidden by the software.
The vulnerability has been publicised by Exodus Intelligence, a company known to sell secret security flaws to security services, and comes just two days after widely used anonymity service Tor acknowledged a similar problem.
The issue affects the Tails operating system, which launches from a DVD or USB stick and is designed to maintain privacy on public Internet terminals or on compromised networks and was popularised by former US spy contractor Edward Snowden who used it to communicate with journalists in secret.
In a blog post Exodus explained that the flaw lies in the Invisible Internet Project (I2P) network layer that Tails uses to hide the user's public IP address from websites and other servers, and means that anyone who visits a booby-trapped website could have their true IP address revealed.
"People shouldn't trust something wholeheartedly just because Snowden says," Exodus Vice President Aaron Portnoy told Reuters. "Generally, we assume the things we can find, others can find."
Tails did not respond to an email seeking comment. It was not clear how many Tails users would be vulnerable, since the I2P application does not launch automatically when the operating system is opened. The I2P spokesman said a user would have to have chosen to run I2P to be vulnerable.
While Exodus does sell similar vulnerabilities to clients, in this case it alerted I2P and Tails to the problem and said it would not divulge the details to customers until the problem has been fixed. Portnoy declined to say what the company would do if a government client asked him to find a similar flaw in the future.
In response to the news about vulnerabilities in Tor earlier this week, programmer Roger Dingledine conceded that the by Carnegie Mellon researchers had found a flaw and said his team was now working to fix it before any public disclosure exposes dissidents and other types of users on Tor to greater risk of attack.
The Tails and Tor episodes show that no anonymity system is failsafe, Portnoy said, and those in jeopardy should focus on compartmentalizing their efforts so that a single breach would not expose everything about them.
"Tor works for most purposes, but a determined adversary will always find a way," he said.
Leaked NSA documents show that the NSA logged the IP addresses of many Tor users and may have scanned emails for users living outside of the USA and its four closest intelligence allies, German media reported this month.