Migrate to Tor Browser 8.0, Version 7.x Has Zero-Day Exploit
TOR, also known as the Onion router has been the go-to method for the privacy-savvy people to browse the web with confidence, as TOR traffic hides people’s identity. However, browsing through TOR requires a web browser, specially designed to use the TOR network and not just a mainstream browser. Just like any software, TOR Browser has been subjected to scrutiny by various groups, including cybercriminals, to look for weaknesses. Good thing, this time around a responsible cybersecurity group, Zerodium was the one that publicly revealed the vulnerability, first through Twitter:
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to a full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS).
PoC: Set the Content-Type of your HTML/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
Zerodium CEO, Chaouki Bekrar further explained: “We’ve launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we’ve received and acquired, during and after the bounty, many Tor exploits meeting our requirements. This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.”
A Zero-day vulnerability is a type of weakness in a software that is already being abused before it was discovered. The issue with TOR Browser is related to version 7.x when paired by a defective NoScript extension (the default setup). The expected normal behavior of a TOR Browser is it blocks the execution of Silverlight, Java, Flash, and Javascript, however, a backdoor in NoScript can enable sites to still execute plugin codes.
Tor Browser developers have taken action against the flaw, by releasing a newer version of Tor Browser 8.0. This new version totally blocks plugin and script execution from running, even in the browser’s initial default state. From the initial check of the TOR Browser code, the transition of Firefox to Firefox Quantum caused the loophole (Tor Browser is a fork of Mozilla Firefox browser).
“We have decided to disclose this exploit as it has reached its end-of-life and it’s not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users. The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component. If a user sets his Tor browser security level to “Safest” aiming to block all JavaScript from all websites e.g. to prevent exploits, the disclosed bug would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code, making the ‘Safest’ security level useless against browser exploits,” Bekrar concluded.
The NoScript developers also updated their extension to version 5.1.8.7, enabling the full compatibility of Firefox Quantum-based Tor Browser for their extension.