SoylentNews

An Anonymous Coward writes:

https://tails.boum.org/security/prototype_pollution/index.en.html [boum.org]

"Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).

A security vulnerability was discovered in the JavaScript engine of Firefox and Tor Browser. See the Mozilla Foundation Security Advisory[1] 2022-19

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn't break the anonymity and encryption of Tor connections.

For example, it is still safe and anonymous to access websites from Tails if you don't share sensitive information with them.

After Tor Browser has been compromised, the only reliable solution is to restart Tails.

Other applications in Tails are not vulnerable. Thunderbird in Tails is not vulnerable because JavaScript is disabled.

The Safest security level of Tor Browser[2] is not affected because JavaScript is disabled at this security level.

Mozilla is aware of websites exploiting this vulnerability already.

This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier."

[1] https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/ [mozilla.org]
[2] https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html#security-level [boum.org]

* Discovered this information at: https://old.reddit.com/r/tails/comments/uwtsf6/serious_security_vulnerability_in_tails_50_tor/ [reddit.com]

Original Submission