Tor Browser: not so secure?


“We recommend that you do not use Tails OS before the release of version 5.1, if you use Tor Browser to work with confidential information (passwords, private messages, personal data, etc.),” says the warning of the project developers released this week.

The warning appeared after fixing two 0-day vulnerabilities in the Firefox browser, a modified version of which serves as the basis of the Tor browser. CVE-2022-1802 and CVE-2022-1529 – prototype contamination vulnerabilities used to execute JavaScript code on devices with vulnerable versions of Firefox, Firefox ESR and Thunderbird.

“For example, if you visited a malicious site, then an attacker controlling it can gain access to a password or other confidential information that you send to other sites within the same Tails session,” the developers said in a statement.

However, Tor browsers with maximum security mode enabled, as well as the Thunderbird email client, are not vulnerable to vulnerabilities, since JavaScript is disabled in them. In addition, the vulnerability does not violate the anonymity and encryption protection built into the browser.

The developers promised to fix vulnerabilities in their OS only on May 31, since the team does not have the opportunity to publish an emergency release earlier.

Both vulnerabilities in Firefox were discovered at the Vancouver Pwn2Own 2022. We wrote about how security researcher Manfred Paul hacked Mozilla Firefox in just 8 seconds

Start a discussion …