A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.
Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.
In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.
NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users.
Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.
(Score: 2, Insightful) by Anonymous Coward on Tuesday September 11 2018, @02:53PM (1 child)
Let me get this straight.... I discover and disseminate an exploit that can hack a computer that is perfectly legal. It takes somebody else using it to be an illegal act. But I discover and disseminate an exploit that circumvents copyright protection I've violated the DMCA. It doesn't matter whether I or anybody else use it.
Yep. There's a societal cognitive disconnect.
(Score: 1, Informative) by Anonymous Coward on Tuesday September 11 2018, @04:17PM
You are correct. But keep in mind that governments buy and use exploits to their benefit. Having laws against the sale or purchase of an exploit would be an annoyance for our government.