A Zero-Day Faw in the TOR Browser Revealed on Twitter

The flows dealer Zerodium revealed a breach, which is a feat for Tor Browser. And the company would still have many more flaws in stock for this browser...

Source

The Zerodium company, whose speciality is the purchase and the resale of zero-day flaws, has delivered one of its goods for free. It has revealed on Twitter the existence of a zero-day flaw in Tor Browser version 7, allowing to by-pass the NoScript extension protection of the browser.

This one prevents the execution of active codes on the visited Web pages, such as Javascript, Java, Flash or Silverlight, so improving the protection against the cross- attacks scripting attacks or the fingerprinting.

Source

As can be seen, the flaw is very simple: it is enough that the header of the web page defines the type of content (Content-Type) as "text / html; json". From there, the NoScript feature will allow to pass all the Javascript codes.

"This Tor/NoScript bug is so simple that it looks like a backdoor. It deserves PwnieAwards 2019! Congratulations to the researcher who discovered it and who sold it to Zerodium", underlines Chaouki Bekrar, the CEO of Zerodium on Twitter.

Since then, the flaw was patched by the NoScript developers. Users are therefore invited to download and to install the version 5.1.8.7 of this extension. But the simplest would still to upgrade to the version 8 of Tor Browser. This one is not concerned by this vulnerability because it embeds a more recent version of NoScript (10.1.9.1).

Questioned by ZDnet, Chaouki Bekrar explains that this flow comes from a bug bounty organized in December, 2017, during which the company would have received and bought numerous exploits Tor ".

According to the Zerodium business model, this vulnerability has been shared with the company’s "governmental customers". "We decided to reveal this exploit since it reached its end of life and it does not affect the version 8 of Tor Browser", specifies the leader. We hesitate to thank him anyway.

Anonymity is SO important and TOR is not the only way to protect it, my next article will show you why/how you should do it! STAY LOG steemians ;-)

• I've made a lot of articles with tools, explanations and advises to show you how to protect your privacy and to secure your computer, GO check them out!

  • This is my guide to secure your PC after a fresh installation of Windows

  • If you think that your phone or your PC has been hacked, you have to check it right now!

  • That's how you can be more Anonymous on the internet!

  • Your PC is slow? That's why!

  • The 4 security measure to put in place on your WIFI router

  • You Feel hot? Your computer also!

  • How an adware works?

  • That's how you should guard against Trojan!

  • Why antiviruses are not your friend?!

  • Basics tools to protect your privacy and your computer