Zerodium Reveals Bug That Lets Code Implementation in Tor Browser

Make use of acquisition company Zerodium has revealed a NoScript flaw that can be exploited to implement absolute JavaScript code in the Tor Browser equal if the extreme security level is utilized. Zerodium revealed the vulnerability and offered directions on how it can be created in a individual content posted to Twitter on Monday. The new announced Tor Browser 8 is not impressed.

Whereas the tweet narrates the problem as a flaw or backdoor in the Tor Browser, the vulnerability potentially influences NoScript, a famous Firefox extension planned to defend users against harmful scripts by permitting JavaScript, Java, and Flash plugins to be implemented merely on assured websites. The Tor Browser is humbled on Firefox and it contains NoScript by standard.

The Italian developer named Giorgio Maone who made NoScript, fixed the flaw in violently two hours with the annouce of version 5.1.8.7. Maone noted that only the “Classic” branch of NoScript 5 is impacted. The developer described that the flaw occurs due to a “work-around for NoScript blocking the in-browser JSON viewer.” He also noticed that the flaw was innovated with the announce of NoScript 5.0.4. in May 2017. Tor Project representatives described the features that this is not a Tor Browser zero-day bug. 

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

The CEO of Zerodium, Chaouki Bekrar, stated that the exploit fundamentally avoids the safety offered by NoScript, even if the Tor Browser is fixed to the “Safest” security level.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Bekrar explained.

Bekrar stated his company got the flaw as a zero-day “many months ago” and shared it with its government users. He asserts Zerodium has gained – containing as part of a time-restricted $1 million flaw bounty program – what he narrates as “high-end Tor efforts.” The users of company have apparently utilized these exploits to “fight crime and child abuse, and make the world a better and safer place for all.”

Asked if he is involved that the flaw may be exploited for harmful aims now that it has been revealed by Zerodium, Bekrar pointed out the version 8 of Tor Browser is not influenced and that it is highly praised that customers upgrade to the updated release.

Leave a Reply

Your email address will not be published. Required fields are marked *