Security: Tor 0-day revealed on Twitter by vulnerability vendor
It's just two weeks since a Windows 0-day was revealed on Twitter, and now the same thing has happened for the Tor browser. Zerodium -- self-described as "the premium exploit acquisition program" -- exposed a backdoor vulnerability in Tor that makes it possible to bypass security protections.
The vulnerability affects Tor 7, and the vendor says that the problem has been addressed in the recently-released Tor 8. A proof-of-concept for the security has also been published.
- Tor for Android brings secure, anonymous internet browsing to your mobile phone
- Microsoft Windows task scheduler 0-day outed on Twitter
- Malware writers exploit recent Windows Task Scheduler 0-day vulnerability
In a tweet, Zerodium revealed details of what it refers to as a "backdoor":
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
Security researcher x0rz was quick to share details of a proof-of-concept:
— x0rz (@x0rz) September 10, 2018
As revealed in an interview with ZDNet, Zerodium is said to have been aware of the vulnerability for "many months", and details of it had been shared with government customers. Zerodium CEO Chaouki Bekrar said:
We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.
The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.
NoScript's author, Giorgio Maone, says he is working on a patch:
Notice: is a NoScript 5 "Classic" only bug: it doesn't affect neither NoScript 10 "Quantum" nor the Tor Browser 8. I'm testing a patch right in this moment. /cc @torproject
— Giorgio Maone (@ma1) September 10, 2018