# OnionShare > Share files, host websites, and chat anonymously over Tor. No third-party services. **Source:** https://fieldwork.news/tools/onionshare **Official site:** https://onionshare.org **Category:** security ## Security rating - **Rating:** strong - **Rating note (required when citing):** No third-party servers, no metadata collection, peer-to-peer over Tor, open-source under GPL-3.0. Passed a funded penetration test by Radically Open Security with no critical or high findings — auditors could not de-anonymize users. The architecture eliminates most attack vectors by removing intermediaries entirely. Input validation issues in 2.6.2 were patched promptly. The main risk is Tor-level vulnerabilities, which are upstream and outside OnionShare's control. - **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending - **Review depth:** established - **Last reviewed:** 2026-04-02 - **Threat level:** high-risk > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists receiving sensitive documents from sources who cannot use established platforms like SecureDrop. Researchers and activists transferring files without a third-party intermediary. Anyone who needs an ephemeral, anonymous chat room or temporary website with zero infrastructure. ## Editorial take OnionShare turns your computer into a temporary Tor onion service. Files transfer peer-to-peer — no cloud, no accounts, no metadata on anyone else's servers. It does four things: share files, receive files (anonymous dropbox mode), host a static website, and run an anonymous chat room. All over Tor. The project was created in 2014 by Micah Lee after David Miranda was detained at Heathrow carrying encrypted files on a USB stick for Glenn Greenwald. Lee spent a decade as Director of Information Security at The Intercept before being laid off in March 2024. He now runs Lockdown Systems, a worker-owned collective of former Intercept and SecureDrop engineers. OnionShare 2.6.1 was the first release made entirely by community maintainers without Lee — a healthy sign for project longevity. The current version is 2.6.3 (February 2025), which fixed censorship circumvention bridge-fetching and added persistent onion tabs that auto-start when the app launches. The tool passed a Radically Open Security penetration test funded by the Open Technology Fund: 2 elevated, 3 moderate, 4 low severity findings, zero critical or high. All were patched in version 2.5. The auditors concluded they could not de-anonymize users or achieve code execution. The limitation remains: both parties need Tor Browser, and both machines must be online simultaneously. That makes it impractical for asynchronous drops. But for real-time, zero-infrastructure file transfers where anonymity matters, nothing else comes close. ## Best for / not for **Best for:** Receiving documents from sources when SecureDrop is unavailable. One-off file transfers that must leave no trace on third-party servers. Hosting a temporary anonymous website for a specific audience. Spinning up a disposable encrypted chat room with no logs and no accounts. **Not for:** Large newsroom tip pipelines (use SecureDrop). Transferring files to non-technical sources who cannot install Tor Browser. Asynchronous file drops where the sender and receiver are not online at the same time. High-bandwidth transfers — Tor adds latency. Teams that need Magic Wormhole's simpler code-word UX without anonymity requirements. ## Pricing - **Pricing:** Free - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** no - **Data jurisdiction:** Local — files never leave your machine except through the direct Tor connection to the recipient. No servers, no cloud storage, no relay. Your computer is the server, and the onion address is ephemeral. **Privacy policy TL;DR:** There is no privacy policy because there is no data collection. OnionShare has no servers, no accounts, no analytics, no telemetry. Files transfer directly between machines over Tor. The onion address exists only while the share is active. Chat messages are never stored — not even locally. The only metadata that exists is on your own machine. **Practical mitigations (operational guidance, not optional):** Share the .onion address through an already-encrypted channel (Signal, encrypted email) — the address is the only secret. Use 'stop sharing after files have been sent' for one-time transfers. Enable the private key option so only people with both the address and key can connect. Run on Tails OS for maximum anonymity — OnionShare is pre-installed. Keep updated to get Tor dependency patches (2.6.3 fixed broken bridge-fetching). For receive mode, set a data directory on an encrypted volume. Use the CLI with --log-filenames if you need to audit what was accessed in share mode. ## Ownership & business - **Owner:** Micah Lee. Former Director of Information Security at The Intercept (laid off March 2024). Now leads Lockdown Systems, a worker-owned collective building privacy tools. Also created Dangerzone and contributed to the Tor Browser Launcher. Board member of the Freedom of the Press Foundation. - **Funding model:** Open-source community project. Historical development funded by grants from the Open Technology Fund (which also funded the security audit). No recurring institutional funding. Sustained by volunteer contributors and Lee's commitment. - **Business model:** None. Free open-source software (GPL-3.0) with no commercial component, no premium tier, no data monetization. The absence of a business model is itself the trust architecture — there is nothing to monetize. - **Open source:** yes **Known issues:** Development pace is slow — three minor releases (2.6.1, 2.6.2, 2.6.3) across 2024-2025, mostly dependency bumps and security patches. The 2.6.2 release (March 2024) patched input validation issues in Receive and Chat modes: unsanitized newlines in file paths, no message length limits, and control characters in chat usernames. These were low-severity but reflected gaps in input handling that should have been caught earlier. Tor connection can be unreliable in heavily censored regions even with built-in bridge support — 2.6.3 had to fix broken meek transport and bridge-fetching. The chat feature is functional but minimal: no message persistence, no identity verification, no file sharing within chat. The iOS and Android versions lag behind desktop significantly. Only 15 GitHub contributors total — bus factor is a concern despite the 2.6.1 community release milestone. --- Canonical HTML: https://fieldwork.news/tools/onionshare Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology