Zero-Day Company Reveals Vulnerability in Tor Browser 7.x


In a post on Twitter, a company specializing in purchasing zero-day exploits from researchers and selling them to government agencies revealed that several versions of the Tor Browser fail to prevent JavaScript from running even with NoScript on the most secure setting.

The security company, Zerodium, announced the vulnerability after a new version of the Tor Browser had been released. Tor Browser 8.x is unaffected by the vulnerability, according to their announcement.

Here’s the tweet:

Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS).

PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.

JavaScript is a threat to Tor users (and anyone trying to remain anonymous). Although the Federal Bureau of Investigation never released the exploit used to identity Tor users during Operation Pacifier, a researcher found an exploit last November that worked almost identically to the way the FBI’s NIT worked on users of the Playpen forum.

A screenshot of the tor-talk mailing list

NoScript ships with the Tor Browser and is supposed to prevent Java, JavaScript, and Flash. Earlier builds of the Tor Browser shipped with NoScript at a low security mode and required users to manually increase the protection NoScript offered. During Operation Pacifier, the FBI only identified users who had not set NoScript to the highest security setting. The Zerodium vulnerability impacts users who had their security settings set to the highest level available.

In a statement to ZDnet, Zerodium said, “the exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.” The company also revealed that they had shared the information with their “government customers.” The company, of course, sells this information almost exclusively to government agencies.

And the infamous x0rz released a Python script demonstrating how simply the Tor Browser’s NoScript could be bypassed. Available