The Tor Project, the non-profit that maintains the Tor anonymity software, has patched a vulnerability in a section of its website that would have potentially put its visitors at risk of attack, or at least unexpected messages.Roy Jansen, a security researcher with a history of uncovering vulnerabilities in websites, tweeted evidence of the cross-site scripting (XSS) vulnerability on Saturday. XSS allows an attacker to build a specific URL that injects malicious scripts into webpages, which can then be executed unknowingly by a user visiting the link.
"Maybe [the] Tor [network] isn't really in danger," Jansen told Motherboard in a Twitter message. "But their userbase/blog visitors are."In his tweet, Jansen included a link to demonstrate the vulnerability. When clicked, users are directed to the "Archive" section of the Tor Project's website, but with an additional message inserted by Jansen.
"It frustrated that I never received any answer."
"It frustrated that I never received any answer," Jansen told Motherboard. "So I decided to set it public, in the hope they will patch it now." It appears to have worked—while Motherboard was reporting on this story, the Tor Project patched the vulnerability.Back in December, during the German hacking conference Chaos Communication Congress, the Tor Project announced its first bug bounty program. With sponsorship from the Open Technology Fund, and with help from bounty platform HackerOne, researchers may be paid for vulnerabilities they discover in Tor Project applications. That likely does not include issues with the Tor Project website, however, and the program has started out invite-only."We fixed a glitch in our blog—to be clear, it's our organizational blog and not Tor software—Tor users are not affected. There is no there there," Kate Krauss, spokesperson for the Tor Project told Motherboard, referring to a literary phrase written by Gertrude Stein.Jansen, who discovered the vulnerability, told Motherboard that he hasn't received a reply from Tor Project."I am glad they fixed it all, but it feels so bad no-one even replied by a simply word: which is 'thanks'."