The vulnerability was referred to as a “backdoor” in a Sept. 10 tweet that read “Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS). PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.”
Zerodium CEO Chaouki Bekrar told ZDNet his firm launched time-limited bug bounty for Tor Browser and has since received and acquired submissions during and after the bounty and that this vulnerability was acquired months ago as a zero-day that has already been shared with its government customers.
“We have decided to disclose this exploit as it has reached its end-of-life and it’s not affecting Tor Browser version 8 which was released last week,” Bekrar said. “We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.”
It’s important to note that the exploit by itself doesn’t reveal any data since it must be chained to other exploits, but users should note that it does circumvent one of the most important security measures of Tor Browser provided by NoScript component. The Tor Project told ZDNet that it was not aware of the exploit prior to its disclosure on Twitter and Bekrar elaborated that a second exploit would be needed for doing real damage against the Tor browser.
Chris Morales, head of security analytics at Vectra pointed out the disclosure was more informational as the solution is to simply update to Tor Browser 8.0 and that Zerodium simply buys and sells zero day exploits.
“The big question here is was this vulnerability used by government agencies to access systems they believed were being used by targeted individuals,” Morales said. “Tor does not serve a legitimate business function and is commonly blocked in major enterprises as a risk.”
Morales added that the browser is often used by attackers as a form of bypassing perimeter security controls to establish remote access and for command and control via anonymized activity and that this vulnerability would have allowed for someone to monitor someone who did not want to be seen.
Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice at Cavirin added that it’s also important to not the other exploits tracked by Zerodium.
“OSs, browsers, mobile devices, web applications, servers and clients. The attack surface is large, and the hackers have multiple entry points,” Kumar said. “To maintain one’s cyber posture requires diligence and a multi-layer approach to security that includes OS and application hardening, patching, and user training, not to mention firewalling, encryption, etc.”