Zerodium, infamously known for buying/selling vulnerabilities in software has lashed out on Tor saying its browser has a serious flaw. This revelation was made in a tweet released by Zerodium where it says that Tor’s browser’s plugin, NoScript, has a zero-day vulnerability. According to Zerodium, this flaw can reveal browsers’ identity when they visit sites.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 216;Safest217; security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
By popular consent, Tor is viewed by security-minded software as a go-to browser for privacy. As such, users who have reasons to not want to disclose their identities online result to the Firefox-based browser. However, Zerodium which is an American company specializing in information security and buying of zero-day vulnerability has come out hard on Tor.
Zerodium says the vulnerability in zero-day is so strong to the extent that it can circumvent even the strictest security provision put in place by NoScript extension. This vulnerability makes the execution of malicious coding possible in Tor browsers. It does this by evading the inherent ability of NoScript to block script.
Browser 7.x Series Are the Most Affected
While clarifying issues on the vulnerability, Zerodium made it clear that only Browser 7.x series are currently having this flaw. He affirmed that Tor 8.x browser which has just been released is not affected. According to Zerodium, the newly-released browser was able to tackle this flaw by replacing former Firefox core with a new Firefox Quantum platform.
It was only last year that the extension NoScript was rewritten so it could be compatible with the latest platform for Firefox Quantum. Giorgio Maone who is the author of NoScript extension attributed the flaw to updates in the extension to block viewers of in-browser JSON.
In an email made available to ZDNet, Zerodium did not mince words on the details of the vulnerability. Chaouki Bekrar who is the company’s CEO wrote in the email thus:
We’ve launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we’ve received and acquired, during and after the bounty, many Tor exploits meeting our requirements. We have decided to disclose this exploit as it has reached its end-of-life and it’s not affecting Tor Browser version 8 which was released last week.
It was ZDNet that brought the attention of Maone to the flaw in the extension. And upon becoming aware of it, the CEO promised to immediately release an update for the extension so it can combat the threat posed by the zero-day.
Maone Releases Update to NoScript
Staying true to his words, Maone did release an update to the NoScript extension with 24 hours of discovering the flaw. This update is known as Noscript Classic v 188.8.131.52. As expected, the update is to tackle possible exploitation due to zero-day error. Maone noted that NoScript 5.0.4 made available in May 2017 equally has the vulnerability.