Stories
Slash Boxes
Comments

SoylentNews is people

Exploit Vendor Drops Tor Browser Zero-Day on Twitter

posted by Fnord666 on Tuesday September 11 2018, @12:18PM   Printer-friendly
from the land-of-tor dept.

An Anonymous Coward writes:

A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.

Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.

In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.

NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users.

Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Exploit Vendor Drops Tor Browser Zero-Day on Twitter | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by takyon on Tuesday September 11 2018, @01:44PM (2 children)

    by takyon (881) <takyonNO@SPAMsoylentnews.org> on Tuesday September 11 2018, @01:44PM (#733138) Journal

    "We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet.

    "This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.

    "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.

    And some background on Zerodium:

    https://en.wikipedia.org/wiki/Zerodium [wikipedia.org]

    Zerodium is an American information security company founded in 2015 based in Washington, D.C.. Its main business is acquiring premium zero-day vulnerabilities with functional exploits from security researchers and companies, and reporting the research, along with protective measures and security recommendations, to its corporate and government clients. The founder, Chaouki Bekrar, is also known for founding VUPEN (defunct).

    In 2015, Zerodium was the first company to release a full pricing chart for 0days ranging from $5,000 to $1,500,000 per exploit. The company is reportedly spending between $400,000 to $600,000 per month for vulnerability acquisitions.

    So according to Chaouki Bekrar, they have "many exploits" for Tor. This one stopped working on the latest Tor Browser branch, so they decided to throw it up onto Twitter to drum up some attention for their business, instead of reporting it to NoScript or Tor maintainers. I assume there are people still using the old Tor Browser, maybe because of the switch to Firefox Quantum.

    Yup, this guy is an asshole [threatpost.com].

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 4, Interesting) by edIII on Tuesday September 11 2018, @07:17PM (1 child)

    by edIII (791) on Tuesday September 11 2018, @07:17PM (#733258)

    This is why I think we should make it illegal to hold on to zero-days for our own avarice filled purposes. It should be treated no different as if I had knowledge of an impending murder, but chose to say nothing. If we forced responsible disclosure of zero-days and other such threats, then it would obviously lead to a more secure world. At least more secure than one with such exploits in the wild.

    Likewise, a corporation once dutifully informed, is obligated to either fix the bug immediately, or inform all of its customers. If a specific category of IoT device, a recall is issued.

    Right now it's like the Cold War, with corporations, governments, and hackers all vying for a stockpile of cyberweapons for their own purposes. Meanwhile, the world suffers.

    I hope this douchenozzle running the corporation gets head to toe herpes.

    --
    Technically, lunchtime is at any moment. It's just a wave function.

    • (Score: 1, Interesting) by Anonymous Coward on Wednesday September 12 2018, @11:25AM

      by Anonymous Coward on Wednesday September 12 2018, @11:25AM (#733556)

      Making it illegal won't make me stop holding them. In fact, i cant think of any illegal thing, that i won't do because its illegal. Usually its not the "illegal", that stops me, its the "unprofitable".

      "Meanwhile, the world suffers." - modernity discource detected, as if suffering was less before exploit brokers came into existence.

      The "more secure world" is a logical extreme, has nothing to do with reality.

      THERE EXISTS NO SECURITY, AND NEVER WILL EXIST

      the only thing that's real is WAR