Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.
In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.
Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.
According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected.
The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API.
The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series.
"We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet.
"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.
"We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.
"The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.
ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript 184.108.40.206.
UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version 220.127.116.11, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017.
UPDATE on September 11, 10:30 AM EST: A spokesperson for the Tor Project told ZDNet they were not aware of the exploit prior to being disclosed on Twitter by Zerodium.The Tor Project member confirmed what Zerodium CEO Chaouki Bekrar told ZDNet --that a second exploit would be needed for doing real damage against Tor Browser users
"It is a bug in NoScript and not a zero-day exploit of Tor Browser that circumvents its privacy protections," the Tor Project spokesperson said. "For bypassing Tor, a real browser exploit would still be needed."
These are 2018's biggest hacks, leaks, and data breaches