Migrate to Tor Browser 8.0, Version 7.x Has Zero-Day Exploit
TOR, also known as the Onion router has been the go-to method for the privacy-savvy people to browse the web with confidence, as TOR traffic hides people’s identity. However, browsing through TOR requires a web browser, specially designed to use the TOR network and not just a mainstream browser. Just like any software, TOR Browser has been subjected to scrutiny by various groups, including cybercriminals, to look for weaknesses. Good thing, this time around a responsible cybersecurity group, Zerodium was the one that publicly revealed the vulnerability, first through Twitter:
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to a full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS).
PoC: Set the Content-Type of your HTML/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
Zerodium CEO, Chaouki Bekrar further explained: “We’ve launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we’ve received and acquired, during and after the bounty, many Tor exploits meeting our requirements. This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.”
Tor Browser developers have taken action against the flaw, by releasing a newer version of Tor Browser 8.0. This new version totally blocks plugin and script execution from running, even in the browser’s initial default state. From the initial check of the TOR Browser code, the transition of Firefox to Firefox Quantum caused the loophole (Tor Browser is a fork of Mozilla Firefox browser).
The NoScript developers also updated their extension to version 18.104.22.168, enabling the full compatibility of Firefox Quantum-based Tor Browser for their extension.
Kevin Jones720 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.