Featured

Published on March 25th, 2020 📆 | 6174 Views ⚑

0

Tor Browser 9.0.7 addresses a flaw that could allow unmasking Tor usersSecurity Affairs


iSpeech

The Tor Project released Tor Browser 9.0.7 that definitively addresses a vulnerability that allowed to execute JavaScript code on sites it should not.

The Tor Project released Tor Browser 9.0.7 that permanently addresses a severe bug that allowed JavaScript code to run on sites it should not.

A couple of weeks ago, the Tor Project announced a major bug in the Tor browser that may cause the execution of JavaScript code on sites for which users have specifically blocked JavaScript.

The development team at the Tor Project announced that it was already working on a fix, and now it has released Tor Browser 9.0.7 that definitively addresses the issue.

The feature thatĀ prevents the execution of JavaScript code on specific sites is essential for the privacy-friendly Tor Browser that uses it to prevent online surveillance. Malicious JavaScrip codes could reveal the real IP addresses of Tor users if executed.

Such kind of scripts was also employed in investigations conducted by law enforcement, in 2013, the FBIĀ admittedĀ attack against the Freedom Hosting, probably the most popular Tor hidden service operator company at the time.

The flaw addressed by the Tor Project exists in TBBā€™s security options. The bug causes the execution of JavaScript code, even when the browser was set up to use the highest security level, theĀ level ā€œSafestā€.





JavaScript code could be used for fingerprinting or unmasking Tor users.

The latest version released by the Tor Project disables by default any JavaScript code on non-HTTPS sites visited by the users that have set up the Safest security level. This change could affect usersā€™ workflowĀ if they previously allowed Javascript on some sites using NoScript

ā€œthis release disables Javascript for the entire browser when the Safest security level is selected.Ā This may be a breaking change for your workflowĀ if you previously allowed Javascript on some sites using NoScript.ā€ reads the press release published by the Tor Project. ā€œWhile you are on ā€œSafestā€ you may restore the previous behavior and allow Javascript by:

  • Open about:config
  • Search for: javascript.enabled
  • The ā€œValueā€ column should show ā€œfalseā€
  • Either: right-click and select ā€œToggleā€ such that it is now disabled or double-click on the row and it will be disabled.ā€

This precaution will be adopted until the recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

PierluigiĀ Paganini

(SecurityAffairsĀ ā€“ Tor Browser, privacy)




(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
Source link

Tagged with: ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢



Comments are closed.