TS-2024-002
Description: We resolved an information disclosure vulnerability in the hello.ts.net service.
What happened?
On January 15 2024, we became aware of a potential information disclosure
vulnerability in the hello.ts.net
service, which could show the identity of a
different Tailscale user when loaded. The hello.ts.net
service receives
identity information and public keys of nodes tied to their IP address. On
November 28 2023, we made a change to how IPs are assigned to
Tailscale nodes, making them globally non-unique. When the Tailscale service
assigned the same IP to multiple nodes, hello.ts.net
would receive identity
information for one of the nodes at random. We confirmed on January 26 2024
that, if one of the other nodes with that IP loaded hello.ts.net
, they would
see another user's name, email, and hostname.
The Tailscale Security Team immediately took hello.ts.net
offline while the
fix was in progress. The issue has been fixed and the hello.ts.net
service
was restored on January 29 2024.
Who was affected?
The incident was isolated to 10 users across 9 tailnets who could have had their information leaked to other Tailscale users. We notified the tailnet security contacts directly in accordance with our obligations under applicable data privacy laws. Due to the random nature of the vulnerability, we cannot confirm that all of those users were indeed affected.
Regular shared nodes always see unique node IPs and were not
vulnerable in a manner similar to hello.ts.net
.
What was the impact?
A small number of users had their name, email, and hostname potentially exposed to other Tailscale users that had nodes sharing the same IP.
In addition, the hello.ts.net
service was offline between January 26-29
2024. Several users reported being negatively impacted by this.
What do I need to do?
No action is needed at this time.
If you have a dependency on hello.ts.net
as a probing target for Tailscale
connectivity, consider using a different probing
mechanism.