Security Experts:

Connect with us

Hi, what are you looking for?



Zerodium Discloses Flaw That Allows Code Execution in Tor Browser

Exploit acquisition firm Zerodium has disclosed a NoScript vulnerability that can be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum security level is used.

Exploit acquisition firm Zerodium has disclosed a NoScript vulnerability that can be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum security level is used.

Zerodium disclosed the flaw and provided instructions on how it can be reproduced in a single message posted to Twitter on Monday. The recently released Tor Browser 8 is not affected.

While the tweet describes the issue as a vulnerability or backdoor in the Tor Browser, the flaw actually impacts NoScript, a popular Firefox extension designed to protect users against malicious scripts by allowing JavaScript, Java, and Flash plugins to be executed only on trusted websites. The Tor Browser is based on Firefox and it includes NoScript by default.

Zerodium discloses Tor Browser zero-day exploit

Giorgio Maone, the Italian developer who created NoScript, patched the vulnerability in roughly two hours with the release of version Maone noted that only the “Classic” branch of NoScript 5 is impacted.

The developer explained that the bug exists due to a “work-around for NoScript blocking the in-browser JSON viewer.” He also noted that the vulnerability was introduced in May 2017 with the release of NoScript 5.0.4.

Contacted by SecurityWeek, Tor Project representatives highlighted that this is not a Tor Browser zero-day vulnerability.

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

Chaouki Bekrar, the CEO of Zerodium, told SecurityWeek that the exploit basically circumvents the protection provided by NoScript, even if the Tor Browser is set to the “Safest” security level.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Bekrar explained.

Bekrar said his company acquired the vulnerability as a zero-day “many months ago” and shared it with its government customers. He claims Zerodium has acquired – including as part of a time-limited $1 million bug bounty program – what he describes as “high-end Tor exploits.” The company’s customers have allegedly used these exploits to “fight crime and child abuse, and make the world a better and safer place for all.”

Asked if he is concerned that the vulnerability may be exploited for malicious purposes now that it has been disclosed by Zerodium, Bekrar highlighted that version 8 of Tor Browser is not impacted and that it’s highly recommended that users upgrade to the newest release.

Related: Tor Offers $4,000 Per Flaw in Public Bug Bounty Program

Related: Bug in Tor Browser Exposed IP Addresses of macOS and Linux Users

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet