Darknetlive

PSA: Serious Security Vulnerability in Tor Browser

HugBunter, who is apparently alive, posted a PSA on Dread about a vulnerability in all FireFox versions < 11.0.13.

HugBunter:

Upgrade Tor Browser to the latest release (11.0.13) immediately where possible and ensure you have JavaScript Disabled in Tor Browser at all times, as always. This vulnerability is present in Firefox, and so affects all previous Tor Browser versions < 11.0.13. Affects all platforms, including Tails, as detailed in their warning below. They cannot currently push an emergency release for Tails specifically, will be resolved with a Tor Browser update in Tails 5.1 on May 31.”

Source: dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4313ca4ac715d83505c0

A picture of Update to Tor Browser version 11.0.13 as soon as possible.

Update to Tor Browser version 11.0.13 as soon as possible.

Tails:

Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).

A security vulnerability was discovered in the JavaScript engine of Firefox and Tor Browser. See the Mozilla Foundation Security Advisory 2022-19

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn’t break the anonymity and encryption of Tor connections.

For example, it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.

After Tor Browser has been compromised, the only reliable solution is to restart Tails.

Other applications in Tails are not vulnerable. Thunderbird in Tails is not vulnerable because JavaScript is disabled.

The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.

Mozilla is aware of websites exploiting this vulnerability already.

This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn’t have the capacity to publish an emergency release earlier.

Source: tails.boum.org/security/prototype_pollution/index.en.html

The Tor Project’s Blog:

Tor Browser 11.0.13 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

We also updated Tor to 0.4.7.7 (the first stable Tor release with support for congestion control).

Note: the Android version 11.0.13 will be available later during the week.

The full changelog since Tor Browser 11.0.12 is:

Source: pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/new-release-tor-browser-11013/index.html

CVE-2022-1802: Prototype pollution in Top-Level Await implementation

Reporter: Manfred Paul via Trend Micro’s Zero Day Initiative

Impact: critical

Description

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

References

Source: www.mozilla.org/en-US/security/advisories/mfsa2022-19/

CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

Reporter: Manfred Paul via Trend Micro’s Zero Day Initiative

Impact: critical

Description

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

References

Source: www.mozilla.org/en-US/security/advisories/mfsa2022-19/


A picture of ????

????

Comments
Do you really want to comment here? not rules
94c2515f
2c3fe990 Wed, May 25, 2022

a little bird told me soon we see LE market takedown, first versus now java script exploits…. It’s all connected.

e5f6e824
aaf2b650 Wed, May 25, 2022

what do you mean by LE market

2f07feae
07dcde20 Wed, May 25, 2022

versus was run by LE? wtf are you saying?

df503587
d53dd360 Wed, May 25, 2022

was williamgibson actually arrested? link??? im calling bullshit on that until i see proof but it is odd

09428fc4
da709600 Wed, May 25, 2022

not yet probably yesterday

c6486b71
523bcb90 Wed, May 25, 2022

what is the key take away lesson from this article like every other time we get a critical CVE related to TOR? never allow javascript you n00bz! if you are on TOR and a website requires javascript consider that website to be a honey pot. MOVE ALONG.

44c6a970
60809e20 Wed, May 25, 2022

These are just the exploits that were disclosed (responsibly) to Mozilla by the pwn2own competition. Nowhere has Mozilla claimed to have evidence of them being exploited in the wild. Not to say that it isn’t important to update ASAP, but it seems a bit hyperbolic to make that claim.

35f7b183
2241a8d0 Thu, May 26, 2022

now just wait until you hear about the next one!

0226c264
5fe61bc0 Thu, May 26, 2022

That’s bullshit Tails, some kind of uptime reassurance that shit it is, imagine AWS pulling some stuff like that. Tails has always been so funky about vpns but you can pretty easily implement a kill switched VPN on a Linux, MAC or Windows desktop, of course all of the security implications that come which each flavor of operating system but ya, killed switched vpn on the desktop of a nice Linux virtual machine with an up to date tor browser or Qubes. You’ve got to make sure it’s a VPN that’s not just going to hand over your information without a warrant either…

b1979b22
199b3220 Thu, May 26, 2022

If you ain’t got all them god damn servers like DeSnake, you could also run all these things on a cheap RDP using said “non-extraditable” VPN, like NordVpn…

5748c0d6
a1147b20 Thu, May 26, 2022

***correction, desnske is actually using rdp right now.

427d8d6e
4a55b940 Thu, May 26, 2022

NordVPN advertises a lot in Australia, I can’t imagine a company being allowed to advertise that much on national TV without having made a “side gate” deal with the Australian government. I’d assume they’re allowing LE full access to all their unlogged traffic so they can make their own logs.

I used them years ago due to the good ratings on ’thatprivacyguys’ website but I’m very skeptical of them these days..

6ed429f8
0c0f7f50 Thu, May 26, 2022

Just use Whonix

831e08d0
bde2d7b0 Thu, May 26, 2022

Y’all trust that cuck HugBunter? Seriously? ‘Member darknet years are an equivalent to a decade IRL. u’all deserve to be cuck’d if you still operating as if things are 2015. By the Cuckholds horn I denounce you!

Submissive MonopolyOfficial has presented himself for his BBC master. His tight freshly bleached pleasure hole eagerly awaits his punishment. He quivers in anticipation. The absolutely massive glistening ebony dark brown meat missile, erect and throbbing, slowly at first, gaining momentum, quickly forcing his ripped african king, to insert deeply inside…

I’ve got russki tank movements for sale. DM for details; u know the place. Ivan loves that iCrap lmao. Useful idiots were an understatement, Vlad.

145c8c65
74c74170 Fri, May 27, 2022

“brought to you by a 14 and a half year old that just got the internet”

f9b9aab9
9684a7b0 Fri, May 27, 2022

^ lol just got the internet? we grew up with it, idiot

3a9d6a8d
ea49ba80 Fri, May 27, 2022

  1. Do not talk about ███
    2. Do NOT talk about ███
    3. We are Anonymous
    4. Anonymous is legion
    5. Anonymous never forgives
    6. Anonymous can be a horrible, senseless, uncaring monster
    7. Anonymous is still able to deliver
    8. There are no real rules about posting
    9. There are no real rules about moderation either - enjoy your ban
    10. If you enjoy any rival sites - DON’T
    11. All your carefully picked arguments can easily be ignored
    12. Anything you say can and will be used against you
    13. Anything you say can be turned into something else - fixed
    14. Do not argue with trolls - it means that they win
    15. The harder you try the harder you will fail
    16. If you fail in epic proportions, it may just become a winning failure
    17. Every win fails eventually
    18. Everything that can be labeled can be hated
    19. The more you hate it the stronger it gets
    20. Nothing is to be taken seriously
    21. Original content is orig..

fdd47f9a
a891e540 Thu, May 26, 2022

versus is fucking ddosing asap did you see lechacals post @DNL

afd356a7
77d24aa0 Fri, May 27, 2022

Nice report 3NL, stay calm and disable JavaScript…

ee2edbfc
177a65c0 Sun, Jun 5, 2022

^ bruh nobody clicking that scammy-af polak link

f3419904
d34bfe70 Tue, May 31, 2022

qubes is the way to go !

New comments are disabled after ten days in an attempt to limit spam.