Tor Project patches critical bug but refuses to acknowledge the bug discovery by a security researcher
Tor Project’s website had a critical cross-site scripting (XSS) vulnerability which if exploited by a potential hacker, could have put thousands of visitors to the blog at risk. The vulnerability was discovered by an independent cyber security researcher Roy Jansen.
Roy, who has long list of bug discoveries to his name, contacted Tor Project admin through email, after he discovered the XSS vulnerability in their blog, which allowed potential hacker to build a specific URL that injects malicious scripts into webpages, which can then be executed unknowingly by a user visiting the link.
Even after contacting the Tor Project, Roy got no response so he tweeted about the vulnerability along with evidence.
— ~?? (@RoyJansen_01) February 6, 2016
In his tweet, Jansen included a link to demonstrate the vulnerability. When clicked, users are directed to the “Archive” section of the Tor Project’s website, but with an additional message inserted by Jansen.
“Maybe [the] Tor [network] isn’t really in danger,” Jansen told Motherboard in a Twitter message. “But their userbase/blog visitors are.” “Cross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or plug-in system on which they rely,” a part of Jansen’s message reads. “Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site.”
The vulnerability was immediately patched by Tor Project admin which oversees the Tor browser after Roy tweeted about the vulnerability but surprisingly they refused to acknowledge the bug discovery by Roy, let alone pay him bug bounty or honour his work.
We fixed a couple glitches on our ancient blog platform—looking forward to a new one, and some day, a new website.
— The Tor Project (@torproject) February 7, 2016
Its not like Tor Project doesnt have a bug bounty program. It had announced its first bug bounty program with sponsorship from the Open Technology Fund in December 2015. However, in Roy’s case they refused to accept the bug discovery, let alone award him with bug bounty.
Roy told Techworm that its good Tor Project has patched vulnerability and a simple thanks would have helped!
— ~?? (@RoyJansen_01) February 7, 2016