Users don’t expose just their privacy when browsing the Internet. A group of computer forensics researchers revealed the finding of a flaw in the Tor browser that could have allowed JavaScript to run on any website, even if users had disabled it to fully exploit the anonymity provided by this tool.
During the release of version 9.0.6, The Tor Project managers announced that the flaw was corrected; however, it is strongly recommended that browser users disable JavaScript manually to fully mitigate this error.
The team behind Tor performed an extensive review of NoScript, a browser extension used to control the execution of JavaScript, Java, Flash and other plugins; this extension was also updated (version 11.0.17). According to computer forensic experts, users could be affected by this flaw depending on the configuration of their Tor implementation to deal with JavaScript.
Tor has JavaScript enabled by default, although users have two options for modifying it:
- “safer”, to disable JavaScript on sites without HTTPS
- “safest” to disable JavaScript completely
Researchers mention that leaving the plugin enabled leaves users exposed to the anonymity provided by Tor being compromised in some scenarios, for example, in case a threat actor uses some vulnerability in the underlying browser Firefox.
On at least two previous occasions incidents of exploitation of this scenario have been reported, so Mozilla released patches to prevent incidents in real-world scenarios. It should be noted that multiple Sites that rely on JavaScript might collapse if you disable it completely.
Computer forensics researchers mention that the latest Tor update primarily affects users who have the “safest” setting, because under some circumstances disabling JavaScript might not work; in their report, browser maintainers specify that the extension will be updated automatically.
For more information on recently encountered security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as the official sites of tech companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
