Tor Project patches critical XSS bug in its blog after researcher publicly discloses it

Tor Project patches critical bug but refuses to acknowledge the bug discovery by a security researcher

Tor Project’s website had a criticalย cross-site scripting (XSS)ย vulnerability which if exploited by a potential hacker, could have put thousands of visitors to the blog at risk. The vulnerability was discovered by an independent cyber security researcher Roy Jansen.

Roy, who has long list of bug discoveries to his name, contacted Tor Project admin through email, after he discovered the XSS vulnerability in their blog, which allowed potential hacker to buildย a specific URL that injects malicious scripts into webpages, which can then be executed unknowingly by a user visiting the link.

Even after contacting the Tor Project, Roy got no response so he tweeted about the vulnerability along with evidence.

In his tweet, Jansen included a link to demonstrate the vulnerability. When clicked, users are directed to the “Archive” section of the Tor Project’s website, but with an additional message inserted by Jansen.

โ€œMaybe [the] Tor [network] isn’t really in danger,โ€ Jansen told Motherboard in a Twitter message. โ€œBut their userbase/blog visitors are.โ€ย โ€œCross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or plug-in system on which they rely,โ€ a part of Jansen’s message reads. โ€œExploiting one of these, attackers fold malicious content into the content being delivered from the compromised site.โ€

The screenshot tweeted included a popup; Jansen says this means that an attacker could also inject malicious JavaScript.

The vulnerability was immediately patched by Tor Project admin which oversees the Tor browser after Roy tweeted about the vulnerability but surprisingly they refused to acknowledge the bug discovery by Roy, let alone pay him bug bounty or honour his work.

Its not like Tor Project doesnt have a bug bounty program. ย It had announcedย its first bug bounty programย with sponsorship from the Open Technology Fund in December 2015. However, in Roy’s case they refused to accept the bug discovery, let alone award him with bug bounty.

Roy told Techworm that its good Tor Project has patched vulnerability and a simple thanks would have helped!

 

spot_img

Read More

Suggested Post