Zerodium, an infosec and premium zero-day acquisition platform tweeted about the flaw in Tor browser on Monday.
The infamous exploit vendor and buyer/seller of popular software vulnerabilities, Zerodium has revealed a critical flaw in Tor browser software. According to a tweet posted by Zerodium, the zero-day vulnerability is present in the NoScript browser plugin and can reveal the user’s identity of the site they visit.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
Tor, a Firefox-based browser, is believed to be the perfect option for privacy-conscious users as they can anonymously surf the web using the Tor network. But, Zerodium, an American information security company, and premium zero-day acquisition platform state that the zero-day vulnerability is so strong that it can easily bypass the most stringent security mechanism of NoScript extension. The vulnerability allows malicious coding to be executed within the Tor browser by evading the script-blocking ability of NoScript.
Zerodium has noted that the vulnerability affects the Tor Browser 7.x series only while the recently released 8.x branch of Tor Browser stays unaffected because, in the new version instead of old Firefox core, the browser was embedded with new Firefox Quantum platform.
Last year, the NoScript extension was rewritten to become compatible with the new Firefox Quantum platform. The NoScript extension author, Giorgio Maone states that the vulnerability is caused due to a workaround for the extension’s blocking of in-browser JSON viewer. Maone was made aware of the vulnerability by ZDNet and he has promised to update the extension to mitigate the zero-day threat.
“I’m gonna release the update within 24 hours or less, like I always did in the past,” said Maone.
And within 24 hours Maone did release NoScript Classic v 220.127.116.11 update aimed at fixing the zero-day exploitation vector. He further clarified that the vulnerability was identified in NoScript 5.0.4, which was released in May, 2017.
On the other hand, Zerodium’s CEO Chaouki Bekrar explained more about the vulnerability via an email sent to ZDNet that read:
“We’ve launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we’ve received and acquired, during and after the bounty, many Tor exploits meeting our requirements. We have decided to disclose this exploit as it has reached its end-of-life and it’s not affecting Tor Browser version 8 which was released last week.”
This is the second vulnerability that has been discovered in the Tor browser in last few days. Last week, an IT security researchers exposed how misconfigured Tor sites using SSL certificates were exposing public IP addresses of users. Therefore, if you are using Tor; watch out as 100% online privacy is a myth.