NoScript Vulnerability in Tor Browser
Tor is the system preferred by users who wish to browse the internet anonymously. You can either set Tor up individually on your computer or mobile device, or in conjunction with the Tor Browser.
Tor Browser is careful to maintain your privacy by protecting your IP and fingerprint, which are used to differentiate you from other users. For instance, Tor Browser warns you when you try to maximize the browser window, since you can be tracked based on the viewport size and screen resolution.
Tor Browser might pay extra attention to user privacy, but even Tor developers make mistakes. A 0-Day vulnerability was found in the NoScript extension, which made it possible to expose the identities of Tor users. This article explains how this script blocking extension works, and how it exposes the private information of Tor Browser users.
Script Blocking Feature
Running Scripts Even With NoScript Enabled
However, an alarming tweet by Zerodium on September 10 stated that a 0-Day vulnerability discovered in the NoScript extension might help expose the identities of Tor users.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).— Zerodium (@Zerodium) September 10, 2018
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
Let’s take a brief look at the details of the vulnerability.
Details of the 0-Day Vulnerability in the NoScript Extension
It seems like the code responsible for blocking scripts from loading actually parses the Content-Type header incorrectly. When the code encounters the /json string at the end of the header, it believes that the context can't execute scripts anyway. Therefore it does not see the need to disable the script engine on that page.
NoScript Classic fixed this vulnerability in the 126.96.36.199 update. All versions of the Tor Browser from version 8.0 onwards included the updated version of the NoScript extension. Therefore, we recommend that Tor Browser users update their browsers immediately.
For further information, consult the Python Proof of Concept Code that exploits this issue, provided by the security researcher 'x0rz'.