[tbb-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 26 05:04:44 UTC 2017


#22067: NoScript Click-to-Play bypass
------------------------------------------+----------------------
     Reporter:  samantharis               |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  High                      |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Major                     |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Noscript does not block .webm playback on tor hidden services but plays
 them first and then blocks them after.


 Example:

 If you go to http://alokalaou53jmgum.onion/b/50927 and click on the
 'homer-simpson webm' it will start playing directly after being clicked on
 even though Tor Browser is set to high security slider and this in 9/10
 times.

 Whereas if you open it directly it will block it 9/10 times.

 http://alokalaou53jmgum.onion/src/M9Xjl/1486923637894.webm


 This is present in at least Tor Browser 6.5.1 and 6.5.2 and probably on
 even older versions leaving users potentially in danger if it where to be
 a malicious .webm by not blocking it

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22067>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list