OnionShare
Share files, host websites, and chat anonymously over Tor. No third-party services.
What should journalists know about OnionShare?
OnionShare turns your computer into a temporary Tor onion service. Files transfer peer-to-peer — no cloud, no accounts, no metadata on anyone else's servers. It does four things: share files, receive files (anonymous dropbox mode), host a static website, and run an anonymous chat room. All over Tor. The project was created in 2014 by Micah Lee after David Miranda was detained at Heathrow carrying encrypted files on a USB stick for Glenn Greenwald. Lee spent a decade as Director of Information Security at The Intercept before being laid off in March 2024. He now runs Lockdown Systems, a worker-owned collective of former Intercept and SecureDrop engineers. OnionShare 2.6.1 was the first release made entirely by community maintainers without Lee — a healthy sign for project longevity. The current version is 2.6.3 (February 2025), which fixed censorship circumvention bridge-fetching and added persistent onion tabs that auto-start when the app launches. The tool passed a Radically Open Security penetration test funded by the Open Technology Fund: 2 elevated, 3 moderate, 4 low severity findings, zero critical or high. All were patched in version 2.5. The auditors concluded they could not de-anonymize users or achieve code execution. The limitation remains: both parties need Tor Browser, and both machines must be online simultaneously. That makes it impractical for asynchronous drops. But for real-time, zero-infrastructure file transfers where anonymity matters, nothing else comes close.
Receiving documents from sources when SecureDrop is unavailable. One-off file transfers that must leave no trace on third-party servers. Hosting a temporary anonymous website for a specific audience. Spinning up a disposable encrypted chat room with no logs and no accounts.
Large newsroom tip pipelines (use SecureDrop). Transferring files to non-technical sources who cannot install Tor Browser. Asynchronous file drops where the sender and receiver are not online at the same time. High-bandwidth transfers — Tor adds latency. Teams that need Magic Wormhole's simpler code-word UX without anonymity requirements.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
There is no privacy policy because there is no data collection. OnionShare has no servers, no accounts, no analytics, no telemetry. Files transfer directly between machines over Tor. The onion address exists only while the share is active. Chat messages are never stored — not even locally. The only metadata that exists is on your own machine.
How to protect yourself:
Share the .onion address through an already-encrypted channel (Signal, encrypted email) — the address is the only secret. Use 'stop sharing after files have been sent' for one-time transfers. Enable the private key option so only people with both the address and key can connect. Run on Tails OS for maximum anonymity — OnionShare is pre-installed. Keep updated to get Tor dependency patches (2.6.3 fixed broken bridge-fetching). For receive mode, set a data directory on an encrypted volume. Use the CLI with --log-filenames if you need to audit what was accessed in share mode.
No third-party servers, no metadata collection, peer-to-peer over Tor, open-source under GPL-3.0. Passed a funded penetration test by Radically Open Security with no critical or high findings — auditors could not de-anonymize users. The architecture eliminates most attack vectors by removing intermediaries entirely. Input validation issues in 2.6.2 were patched promptly. The main risk is Tor-level vulnerabilities, which are upstream and outside OnionShare's control.
Who Owns This
Known issues
Development pace is slow — three minor releases (2.6.1, 2.6.2, 2.6.3) across 2024-2025, mostly dependency bumps and security patches. The 2.6.2 release (March 2024) patched input validation issues in Receive and Chat modes: unsanitized newlines in file paths, no message length limits, and control characters in chat usernames. These were low-severity but reflected gaps in input handling that should have been caught earlier. Tor connection can be unreliable in heavily censored regions even with built-in bridge support — 2.6.3 had to fix broken meek transport and bridge-fetching. The chat feature is functional but minimal: no message persistence, no identity verification, no file sharing within chat. The iOS and Android versions lag behind desktop significantly. Only 15 GitHub contributors total — bus factor is a concern despite the 2.6.1 community release milestone.
Pricing
Free
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.