PSA: Serious Security Vulnerability in Tor Browser

HugBunter, who is apparently alive, posted a PSA on Dread about a vulnerability in all FireFox versions < 11.0.13.


Upgrade Tor Browser to the latest release (11.0.13) immediately where possible and ensure you have JavaScript Disabled in Tor Browser at all times, as always. This vulnerability is present in Firefox, and so affects all previous Tor Browser versions < 11.0.13. Affects all platforms, including Tails, as detailed in their warning below. They cannot currently push an emergency release for Tails specifically, will be resolved with a Tor Browser update in Tails 5.1 on May 31.”

Source: dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4313ca4ac715d83505c0

A picture of Update to Tor Browser version 11.0.13 as soon as possible.

Update to Tor Browser version 11.0.13 as soon as possible.


Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).

A security vulnerability was discovered in the JavaScript engine of Firefox and Tor Browser. See the Mozilla Foundation Security Advisory 2022-19

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn’t break the anonymity and encryption of Tor connections.

For example, it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.

After Tor Browser has been compromised, the only reliable solution is to restart Tails.

Other applications in Tails are not vulnerable. Thunderbird in Tails is not vulnerable because JavaScript is disabled.

The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.

Mozilla is aware of websites exploiting this vulnerability already.

This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn’t have the capacity to publish an emergency release earlier.

Source: tails.boum.org/security/prototype_pollution/index.en.html

The Tor Project’s Blog:

Tor Browser 11.0.13 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

We also updated Tor to (the first stable Tor release with support for congestion control).

Note: the Android version 11.0.13 will be available later during the week.

The full changelog since Tor Browser 11.0.12 is:

Source: pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/new-release-tor-browser-11013/index.html

CVE-2022-1802: Prototype pollution in Top-Level Await implementation

Reporter: Manfred Paul via Trend Micro’s Zero Day Initiative

Impact: critical


If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.


Source: www.mozilla.org/en-US/security/advisories/mfsa2022-19/

CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

Reporter: Manfred Paul via Trend Micro’s Zero Day Initiative

Impact: critical


An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.


Source: www.mozilla.org/en-US/security/advisories/mfsa2022-19/

A picture of ????


Do you really want to comment here? not rules
2c3fe990 Wed, May 25, 2022

a little bird told me soon we see LE market takedown, first versus now java script exploits…. It’s all connected.

aaf2b650 Wed, May 25, 2022

what do you mean by LE market

07dcde20 Wed, May 25, 2022

versus was run by LE? wtf are you saying?

d53dd360 Wed, May 25, 2022

was williamgibson actually arrested? link??? im calling bullshit on that until i see proof but it is odd

da709600 Wed, May 25, 2022

not yet probably yesterday

523bcb90 Wed, May 25, 2022

what is the key take away lesson from this article like every other time we get a critical CVE related to TOR? never allow javascript you n00bz! if you are on TOR and a website requires javascript consider that website to be a honey pot. MOVE ALONG.

60809e20 Wed, May 25, 2022

These are just the exploits that were disclosed (responsibly) to Mozilla by the pwn2own competition. Nowhere has Mozilla claimed to have evidence of them being exploited in the wild. Not to say that it isn’t important to update ASAP, but it seems a bit hyperbolic to make that claim.

2241a8d0 Thu, May 26, 2022

now just wait until you hear about the next one!

5fe61bc0 Thu, May 26, 2022

That’s bullshit Tails, some kind of uptime reassurance that shit it is, imagine AWS pulling some stuff like that. Tails has always been so funky about vpns but you can pretty easily implement a kill switched VPN on a Linux, MAC or Windows desktop, of course all of the security implications that come which each flavor of operating system but ya, killed switched vpn on the desktop of a nice Linux virtual machine with an up to date tor browser or Qubes. You’ve got to make sure it’s a VPN that’s not just going to hand over your information without a warrant either…

199b3220 Thu, May 26, 2022

If you ain’t got all them god damn servers like DeSnake, you could also run all these things on a cheap RDP using said “non-extraditable” VPN, like NordVpn…

a1147b20 Thu, May 26, 2022

***correction, desnske is actually using rdp right now.

4a55b940 Thu, May 26, 2022

NordVPN advertises a lot in Australia, I can’t imagine a company being allowed to advertise that much on national TV without having made a “side gate” deal with the Australian government. I’d assume they’re allowing LE full access to all their unlogged traffic so they can make their own logs.

I used them years ago due to the good ratings on ’thatprivacyguys’ website but I’m very skeptical of them these days..

0c0f7f50 Thu, May 26, 2022

Just use Whonix

bde2d7b0 Thu, May 26, 2022

Y’all trust that cuck HugBunter? Seriously? ‘Member darknet years are an equivalent to a decade IRL. u’all deserve to be cuck’d if you still operating as if things are 2015. By the Cuckholds horn I denounce you!

Submissive MonopolyOfficial has presented himself for his BBC master. His tight freshly bleached pleasure hole eagerly awaits his punishment. He quivers in anticipation. The absolutely massive glistening ebony dark brown meat missile, erect and throbbing, slowly at first, gaining momentum, quickly forcing his ripped african king, to insert deeply inside…

I’ve got russki tank movements for sale. DM for details; u know the place. Ivan loves that iCrap lmao. Useful idiots were an understatement, Vlad.

74c74170 Fri, May 27, 2022

“brought to you by a 14 and a half year old that just got the internet”

9684a7b0 Fri, May 27, 2022

^ lol just got the internet? we grew up with it, idiot

ea49ba80 Fri, May 27, 2022

  1. Do not talk about ███
    2. Do NOT talk about ███
    3. We are Anonymous
    4. Anonymous is legion
    5. Anonymous never forgives
    6. Anonymous can be a horrible, senseless, uncaring monster
    7. Anonymous is still able to deliver
    8. There are no real rules about posting
    9. There are no real rules about moderation either - enjoy your ban
    10. If you enjoy any rival sites - DON’T
    11. All your carefully picked arguments can easily be ignored
    12. Anything you say can and will be used against you
    13. Anything you say can be turned into something else - fixed
    14. Do not argue with trolls - it means that they win
    15. The harder you try the harder you will fail
    16. If you fail in epic proportions, it may just become a winning failure
    17. Every win fails eventually
    18. Everything that can be labeled can be hated
    19. The more you hate it the stronger it gets
    20. Nothing is to be taken seriously
    21. Original content is orig..

a891e540 Thu, May 26, 2022

versus is fucking ddosing asap did you see lechacals post @DNL

77d24aa0 Fri, May 27, 2022

Nice report 3NL, stay calm and disable JavaScript…

177a65c0 Sun, Jun 5, 2022

^ bruh nobody clicking that scammy-af polak link

d34bfe70 Tue, May 31, 2022

qubes is the way to go !

New comments are disabled after ten days in an attempt to limit spam.