TOR Browser Zero Day Vulnerability Discovered

  • 868
  •  
  •  
  •  
  • 6
  •  
  •  
  •  
    874
    Shares

When we talk about the ways to browse safely online, an option which strikes our minds right after VPN is TOR. Certainly, the TOR browser tops up all the secure browsers that allow you to surf the internet with safety and anonymity. However, like everything else, you cannot rule out the probabilities of bugs in this browser. Recently, a cybersecurity firm Zerodium has found out a TOR browser zero day that compromises its JS blocking feature.

Zerodium Discovered TOR Browser Zero Day Flaw

As revealed by ZDNet, the cybersecurity firm Zerodium has put up a short advisory in its recent tweet regarding a TOR flaw. They have discovered a TOR browser zero day vulnerability that compromises one of the TOR security features. As disclosed in the tweet, the bug allows bypassing the TOR’s ‘NoScript’ JS blocking feature.

While they haven’t given any detailed proof-of-concept for this vulnerability, they have explained it briefly in their tweet.

‘NoScript’ is a typical browser extension that enables a user to block JavaScript, Java, and Flash on untrusted websites. The user can, however, select specifications for certain websites to allow running JS. Designed for all Mozilla-based browsers including Firefox and SeaMonkey, the plugin comes by default with TOR browser. This tool enhances the browser’s security feature by blocking all JS except on the whitelist.

The bug reported by Zerodium affects this particular TOR feature, allowing anyone to run malicious codes in the browser by simply bypassing the NoScript.

The Bug Was Patched Quickly

After noticing the tweet, ZDNet quickly approached Giorgio Maone who authored NoScript extension. Maone, in turn, stepped up to find the causes of this TOR browser zero day, and worked out to patch the flaw. Regarding the reason triggering this vulnerability, he explained that the bug was actually a “NoScript 5 “Classic” bug” that did not affect the TOR Browser 8 and NoScript 10 Quantum.

Reportedly, within 50 minutes from the disclosure, Giorgio Maone fixed the flaw in the NoScript “Classic” version 5.1.8.7 which is now available.

The users of Firefox, TOR, and other browsers can simply download this patched NoScript version to mitigate the vulnerability. Likewise, TOR users running browser versions 7.x need to upgrade their browsers to the version 8.x. However, those already running TOR 8.x on their devices remain safe.

Let us know your thoughts in the comments section.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Leave a Reply