PSA: Serious Security Vulnerability in Tor Browser

HugBunter, who is apparently alive, posted a PSA on Dread about a vulnerability in all FireFox versions < 11.0.13.

HugBunter:

“Upgrade Tor Browser to the latest release (11.0.13) immediately where possible and ensure you have JavaScript Disabled in Tor Browser at all times, as always. This vulnerability is present in Firefox, and so affects all previous Tor Browser versions < 11.0.13. Affects all platforms, including Tails, as detailed in their warning below. They cannot currently push an emergency release for Tails specifically, will be resolved with a Tor Browser update in Tails 5.1 on May 31.”

Source: dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4313ca4ac715d83505c0

A picture of Update to Tor Browser version 11.0.13 as soon as possible. — Update to Tor Browser version 11.0.13 as soon as possible.

Tails:

Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).

A security vulnerability was discovered in the JavaScript engine of Firefox and Tor Browser. See the Mozilla Foundation Security Advisory 2022-19

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn’t break the anonymity and encryption of Tor connections.

For example, it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.

After Tor Browser has been compromised, the only reliable solution is to restart Tails.

Other applications in Tails are not vulnerable. Thunderbird in Tails is not vulnerable because JavaScript is disabled.

The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.

Mozilla is aware of websites exploiting this vulnerability already.

This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn’t have the capacity to publish an emergency release earlier.

Source: tails.boum.org/security/prototype_pollution/index.en.html

The Tor Project’s Blog:

Tor Browser 11.0.13 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

We also updated Tor to 0.4.7.7 (the first stable Tor release with support for congestion control).

Note: the Android version 11.0.13 will be available later during the week.

The full changelog since Tor Browser 11.0.12 is:

Android
- Bug fenix#40212: Tor Browser crashing on launch
All Platforms
- Update Tor to 0.4.7.7
- Bug tor-browser#40967: Integrate Mozilla fix for Bug 1770137
- Bug tor-browser#40968: Integrate Mozilla fix for Bug 1770048
Build System
- All Platforms
  - Update Go to 1.17.10
  - Bug tor-browser-build#40319: Add build tag to downloads.json
  - Bug tor-browser-build#40486: Add tools/signing/do-all-signing script, and other signing scripts improvements

Source: pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/new-release-tor-browser-11013/index.html

CVE-2022-1802: Prototype pollution in Top-Level Await implementation

Reporter: Manfred Paul via Trend Micro’s Zero Day Initiative
Impact: critical
Description
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.
References

Bug 1770137

Source: www.mozilla.org/en-US/security/advisories/mfsa2022-19/

CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

Reporter: Manfred Paul via Trend Micro’s Zero Day Initiative
Impact: critical
Description
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.
References

Bug 1770048

Source: www.mozilla.org/en-US/security/advisories/mfsa2022-19/

29 Comments

It's Called We Engage In A Mild Amount of Tomfoolery

94c2515f

2c3fe990 Wed, May 25, 2022

a little bird told me soon we see LE market takedown, first versus now java script exploits…. It’s all connected.

e5f6e824

aaf2b650 Wed, May 25, 2022

what do you mean by LE market

2f07feae

07dcde20 Wed, May 25, 2022

versus was run by LE? wtf are you saying?

df503587

d53dd360 Wed, May 25, 2022

was williamgibson actually arrested? link??? im calling bullshit on that until i see proof but it is odd

09428fc4

da709600 Wed, May 25, 2022

not yet probably yesterday

7a30caf4

5d33cf90 Sat, Jun 11, 2022

http://slkjfdf.net/ - Orajeaw Hrimehoeh xlp.uxdm.darknetlive.com.ods.qd http://slkjfdf.net/

c6486b71

523bcb90 Wed, May 25, 2022

what is the key take away lesson from this article like every other time we get a critical CVE related to TOR? never allow javascript you n00bz! if you are on TOR and a website requires javascript consider that website to be a honey pot. MOVE ALONG.

44c6a970

60809e20 Wed, May 25, 2022

These are just the exploits that were disclosed (responsibly) to Mozilla by the pwn2own competition. Nowhere has Mozilla claimed to have evidence of them being exploited in the wild. Not to say that it isn’t important to update ASAP, but it seems a bit hyperbolic to make that claim.

0926b03e

19bde410 Thu, May 26, 2022

Yikes

35f7b183

2241a8d0 Thu, May 26, 2022

now just wait until you hear about the next one!

0226c264

5fe61bc0 Thu, May 26, 2022

That’s bullshit Tails, some kind of uptime reassurance that shit it is, imagine AWS pulling some stuff like that. Tails has always been so funky about vpns but you can pretty easily implement a kill switched VPN on a Linux, MAC or Windows desktop, of course all of the security implications that come which each flavor of operating system but ya, killed switched vpn on the desktop of a nice Linux virtual machine with an up to date tor browser or Qubes. You’ve got to make sure it’s a VPN that’s not just going to hand over your information without a warrant either…

b1979b22

199b3220 Thu, May 26, 2022

If you ain’t got all them god damn servers like DeSnake, you could also run all these things on a cheap RDP using said “non-extraditable” VPN, like NordVpn…

5748c0d6

a1147b20 Thu, May 26, 2022

***correction, desnske is actually using rdp right now.

427d8d6e

4a55b940 Thu, May 26, 2022

NordVPN advertises a lot in Australia, I can’t imagine a company being allowed to advertise that much on national TV without having made a “side gate” deal with the Australian government. I’d assume they’re allowing LE full access to all their unlogged traffic so they can make their own logs.

I used them years ago due to the good ratings on ’thatprivacyguys’ website but I’m very skeptical of them these days..

3d420bd3

ecf005d0 Tue, May 31, 2022

http://slkjfdf.net/ - Arilpibo Itiwujoti obi.hwml.darknetlive.com.vun.pa http://slkjfdf.net/

6ed429f8

0c0f7f50 Thu, May 26, 2022

Just use Whonix

a83afd56

bba4a100 Tue, May 31, 2022

http://slkjfdf.net/ - Benilvuey Uzinapum gds.kazz.darknetlive.com.ddb.qn http://slkjfdf.net/

831e08d0

bde2d7b0 Thu, May 26, 2022

Y’all trust that cuck HugBunter? Seriously? ‘Member darknet years are an equivalent to a decade IRL. u’all deserve to be cuck’d if you still operating as if things are 2015. By the Cuckholds horn I denounce you!

Submissive MonopolyOfficial has presented himself for his BBC master. His tight freshly bleached pleasure hole eagerly awaits his punishment. He quivers in anticipation. The absolutely massive glistening ebony dark brown meat missile, erect and throbbing, slowly at first, gaining momentum, quickly forcing his ripped african king, to insert deeply inside…

I’ve got russki tank movements for sale. DM for details; u know the place. Ivan loves that iCrap lmao. Useful idiots were an understatement, Vlad.

145c8c65

74c74170 Fri, May 27, 2022

“brought to you by a 14 and a half year old that just got the internet”

f9b9aab9

9684a7b0 Fri, May 27, 2022

^ lol just got the internet? we grew up with it, idiot

3a9d6a8d

ea49ba80 Fri, May 27, 2022

Do not talk about ███
2. Do NOT talk about ███
3. We are Anonymous
4. Anonymous is legion
5. Anonymous never forgives
6. Anonymous can be a horrible, senseless, uncaring monster
7. Anonymous is still able to deliver
8. There are no real rules about posting
9. There are no real rules about moderation either - enjoy your ban
10. If you enjoy any rival sites - DON’T
11. All your carefully picked arguments can easily be ignored
12. Anything you say can and will be used against you
13. Anything you say can be turned into something else - fixed
14. Do not argue with trolls - it means that they win
15. The harder you try the harder you will fail
16. If you fail in epic proportions, it may just become a winning failure
17. Every win fails eventually
18. Everything that can be labeled can be hated
19. The more you hate it the stronger it gets
20. Nothing is to be taken seriously
21. Original content is orig..

8a9e72e6

786da060 Tue, May 31, 2022

http://slkjfdf.net/ - Zaninowj Opasiyel ocq.mykd.darknetlive.com.qou.li http://slkjfdf.net/

fdd47f9a

a891e540 Thu, May 26, 2022

versus is fucking ddosing asap did you see lechacals post @DNL

afd356a7

77d24aa0 Fri, May 27, 2022

Nice report 3NL, stay calm and disable JavaScript…

05f7e632

55c181a0 Tue, May 31, 2022

http://slkjfdf.net/ - Owsihejo Aripijet nra.gmum.darknetlive.com.ldh.ky http://slkjfdf.net/

ee2edbfc

177a65c0 Sun, Jun 5, 2022

^ bruh nobody clicking that scammy-af polak link

f3419904

d34bfe70 Tue, May 31, 2022

qubes is the way to go !

91833191

a07a29f0 Wed, Jun 1, 2022

penis

New comments are disabled after ten days in an attempt to limit spam.