Unsafe Browser - Sandbox escape by spawning own GUI applications - deanonymization of Tor users
From https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/16 :
But another attack scenario would be an attacker spawning his own "fake" Thunderbird/Firefox or UI. By doing this, the "jailed" attacker could leak personal data or whatever from the user. The following picture shows a spawned GUI from inside the unsafe browser jail:
Using Wayland may prevent the X11's keylogging issues but doesn't prevent a malicious user inside the sandbox from spawning its own GUI application on the host's system.
Impact
An attacker that managed to get inside the sandbox of the Unsafe Browser could spawn fake applications like Thunderbird and Firefox to monitor clicks or log the keystrokes of the window. Since the user inside the sandbox is the same as the host user, the "jailed" amnesia user could kill every process running as the amnesia user on the host. As a result, the attacker could replace, for example, Thunderbird with his own GUI. Furthermore, the attacker could spawn fake error messages to leak information from the user or to force specific actions. As a result, the attacker may be able to leak information, escape the sandbox, and deanonymize the Tails user. Due to the user interaction, we rate this issue as low.