The company also provided instruction to exploit the flaw in the following Twitter message:
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
Security researcher @x0rz also posted a proof of concept script to show that is very easy to exploit the flaw.
— x0rz (@x0rz) September 10, 2018
The latest version of the Tor Browser 8 is not affected, this means that users have to update their oldest versions as soon as possible.
The flaw resides in the NoScript Firefox extension and affects the Tor Browser that is based on Firefox.
The Italian hacker Giorgio Maone that developed the extension patched the bug in a couple of hours and addressed the problem with the release of the version 184.108.40.206.
I said FIXED, guys 🙂
Get 220.127.116.11 here:https://t.co/0h5BHFexTw
— Giorgio Maone (@ma1) September 10, 2018
Maone explained that only the “Classic” branch of NoScript 5 is impacted, according to the expert the flaw was introduced in May 2017 with the release of NoScript 5.0.4.
It exists due to a “work-around for NoScript blocking the in-browser JSON viewer.”
Tor Project team pointed out that this bug is a Tor Browser zero-day flaw, instead of a NoScript issue.
“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.
Bekrar confirmed to have acquired the zero-day vulnerability “many months ago” and shared it with law enforcement and government customers.
The worrying news is that Bekrar confirmed to have acquired “high-end Tor exploits” as part of its bug bounty program. In September the ZERODIUM announced it will pay up to $1 million for fully working zero-day exploits for Tor Browser on Tails Linux and Windows OSs.
Bekrar highlighted that the exploits have been used by its customers to “fight crime and child abuse, and make the world a better and safer place for all.”
Don’t waste time, upgrade your browser to the newest release.