The zero-day it released on Monday affects version 7.x of the browser which is claimed to provide secure browsing.
The US$1 million was on offer until 30 November last year, with the rider that any researcher who had already been paid that sum for other exploits would not be eligible.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).— Zerodium (@Zerodium) September 10, 2018
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
Zerodium, which is based in Washington DC, mostly sells exploits to US Government agencies. It did not offer any explanation as to why it released the exploit publicly when it trades in such exploits itself.
"PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is not affected."
It’s a bug in the NoScript addon, not Firefox itself. TorBrowser bundles NoScript.— David Ciani (@davidciani) September 10, 2018
One reason for releasing details of the flaw could be that most users would have moved to the newer version of Tor. The browser always reminds users to update (see screenshot above) if there is a newer version ready for download.
One individual who responded to the tweet, David Ciani, said that the flaw resided in the NoScript add-on not Firefox itself. Tor is based on the Firefox codebase.
But additional exploits may not be needed to gain access to Tor, given that it was revealed earlier this year that the project is being funded by the US Government agency BBG and co-operates with American intelligence agencies.
That claim was made by journalist Yasha Levine who obtained 2500 pages of information through FoI requests for a book he was writing titled Surveillance Valley.