Tor browser has a flaw that governments may have exploited


The Tor browser has a software flaw that government agents may have exploited to hack unsuspecting targets.

The vulnerability concerns a software extension called NoScript, which comes with version 7.x of the browser, according to the company Zerodium, which tweeted details Monday. As the name suggests, the NoScript extension is designed to prevent JavaScript, Flash, and other plugins from running on untrusted websites.

However, Zerodium discovered a flaw in NoScript when the extension is set to the highest security level. Doing this can allow a website that loads on the Tor browser to exploit the extension to execute any JavaScript code. A security researcher by the name of “x0rz” uploaded a video of the vulnerability in action and called it easy to reproduce.

The good news is that the Tor 8.0 browser, which arrived last week, is immune to the vulnerability. You can install it automatically by clicking the onion icon in the left corner of the Tor browser window. The developer of NoScript also patched the vulnerability.

Still, the disclosure of the flaw suggests that the actual victims were hacked by the NoScript bug. Zerodium is a company that specializes in buying previously unknown software vulnerabilities from security researchers and then selling them to government groups.

Zerodium Recount ZDNet that he bought the details of the Tor browser flaw months ago and then shared them with the company’s government customers. “The exploit itself does not reveal any data because it has to be chained to other exploits, but it bypasses one of the most important Tor browser security measures which is provided by the NoScript component,” added Zerodium.

The company decided to expose the vulnerability, since it is useless against version 8.0 of Tor. Still, don’t be surprised if Zerodium has other software exploits that work against the browser. Last year was offer up to $ 250,000 for details on Tor vulnerabilities.

“In my opinion, if Zerodium abandons this [vulnerability] as free advertising it really means they got more stuff. Probably on the latest Tor Browser 8.0 too, ” tweeted the security researcher x0rz.

So far, the Tor project has not commented on the flaw. The Group Browser is popular among journalists, activists, and cybercriminals as a way to keep your online browsing activities anonymous. However, the software is also not hackable. In 2015, the FBI grasped a child pornography website on the dark web, then used it to distribute spyware to visitors, many of whom were probably using Tor.

Recommended by our editors

UPDATE: The Tor Project told PCMag that the NoScript bug “could not bypass” browser privacy protections, but did not elaborate on details.

“There are ethical engineers in the world who are always trying to break Tor so that we can make it better, so this (the NoScript bug) is a rare scenario. It is in the best interests of all Tor users, including government agencies, for any vulnerabilities revealed to us by our own bug premium“the group said.

Security Watch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2021-09-30T21:22:09.000000Z","last_published_at":"2021-09-30T21:22:03.000000Z","created_at":null,"updated_at":"2021-09-30T21:22:09.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 font-brand mt-8 container-xs">
Do you like what you read ?

Sign up for Security watch newsletter for our best privacy and security stories delivered straight to your inbox.

This newsletter may contain advertising, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use and Privacy Policy. You can unsubscribe from newsletters at any time.


Comments are closed.