NoScript Vulnerability in Tor Browser

This blog post discusses the 0-Day vulnerability introduced into the Tor Browser’s NoScript script blocking extension, originally designed to allow users to block JavaScript from running, and how it could have been disabled it in order to potentially unmask Tor users with a JavaScript exploit. It includes an explanation of the exploit code.

NoScript Vulnerability in Tor Browser

Tor is the system preferred by users who wish to browse the internet anonymously. You can either set Tor up individually on your computer or mobile device, or in conjunction with the Tor Browser.

Tor Browser is careful to maintain your privacy by protecting your IP and fingerprint, which are used to differentiate you from other users. For instance, Tor Browser warns you when you try to maximize the browser window, since you can be tracked based on the viewport size and screen resolution.

Tor Browser might pay extra attention to user privacy, but even Tor developers make mistakes. A 0-Day vulnerability was found in the NoScript extension, which made it possible to expose the identities of Tor users. This article explains how this script blocking extension works, and how it exposes the private information of Tor Browser users.

Script Blocking Feature

One security feature of Tor Browser is that it blocks all scripts from loading unless you tell it to do otherwise. Script loading is blocked in all websites, besides the ones you whitelist, using the NoScript extension. This prevents your IP from being exposed by JavaScript code running on the page, such as a WebRTC connection request. All potentially vulnerable content, such as ActiveX controllers and flash objects, will also be blocked.

The activation of NoScript extensions is related to the Content-Type of the page. This is because if the NoScript extension comes across a context that can run scripts, such as a page that has the Content-Type set to text/html, the extension immediately prevents the Javascript code from running.


Script Blocking Feature

Running Scripts Even With NoScript Enabled

However, an alarming tweet by Zerodium on September 10 stated that a 0-Day vulnerability discovered in the NoScript extension might help expose the identities of Tor users.

Let’s take a brief look at the details of the vulnerability.

Details of the 0-Day Vulnerability in the NoScript Extension

The NoScript Safest extension blocks all JavaScript code in Tor Browser versions 7.x. However, it can be bypassed with a simple trick in the HTTP response, allowing the JavaScript files to run. The attack works when the attacker adds the following HTTP header in the response:

Content-Type: text/html;/json

It seems like the code responsible for blocking scripts from loading actually parses the Content-Type header incorrectly. When the code encounters the /json string at the end of the header, it believes that the context can't execute scripts anyway. Therefore it does not see the need to disable the script engine on that page.

Conclusion

NoScript Classic fixed this vulnerability in the 5.1.8.7 update. All versions of the Tor Browser from version 8.0 onwards included the updated version of the NoScript extension. Therefore, we recommend that Tor Browser users update their browsers immediately.

For further information, consult the Python Proof of Concept Code that exploits this issue, provided by the security researcher 'x0rz'.