Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.
In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.
Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.
According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected.
The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API.
The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series.
Also: 7 tips for SMBs to improve data security TechRepublic
In an interview with ZDNet, Giorgio Maone, the author of the NoScript extension, said the zero-day was caused by a workaround for NoScript blocking the Tor Browser's in-browser JSON viewer.
Maone was not aware of the vulnerability before ZDNet contacted him earlier today.
After successfully reproducing the issue, Maone promised an update to the NoScript add-on for later today, to mitigate the zero-day's effects.
"I'm gonna release the update within 24 hours or less, like I always did in the past," Maone told ZDNet.
The Tor Project replied to ZDNet's request for comment but was not prepared to issue an official statement before this article's publication.
In an email exchange with ZDNet, Zerodium CEO Chaouki Bekrar provided more details about today's zero-day.
"We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet.
"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.
"We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.
Also: Best Home Security Devices for 2018 CNET
"The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.
ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript 18.104.22.168.
UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version 22.214.171.124, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017.
UPDATE on September 11, 10:30 AM EST: A spokesperson for the Tor Project told ZDNet they were not aware of the exploit prior to being disclosed on Twitter by Zerodium.The Tor Project member confirmed what Zerodium CEO Chaouki Bekrar told ZDNet --that a second exploit would be needed for doing real damage against Tor Browser users
"It is a bug in NoScript and not a zero-day exploit of Tor Browser that circumvents its privacy protections," the Tor Project spokesperson said. "For bypassing Tor, a real browser exploit would still be needed."
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.