https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass... https://blog.torproject.org/blog/tor-browser-605-released Introduction: The combination of chaining the vulnerabilities described below allows a malicious exit node operator or global adversary to conduct a silent remote code execution attack on all platforms of the Tor Browser. This attack is not limited to just being hypothetical in nature and evidence shows that this attack has already been possible for a number of years. The list of vulnerable deployments to this attack includes the native Tor Browser for Windows, Linux, OSX and also includes Tor Browser installations on dedicated operating systems such as Tails and Whonix. The entire security of the Tor Browser ecosystem relies on the integrity of a single TLS certificate that has already been previously compromised. Efforts to mitigate these types of risks through certificate pinning appear to not have been correctly implemented with regard to the extension update process and also appear to provide no protection. This attack enables arbitrary remote code execution against users accessing specific clearnet resources when used in combination with a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specific clearnet resources. Additionally this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and to move towards implantation after selected criteria are met (such as an installed language pack, public IP address, DNS cache, stored cookie, stored web history, and etc). Quick financial estimates put the cost to launch such an attack at roughly $100,000 USD for maximum impact. To put in clearer perspective; this attack costs an attacker 0.06 USD per compromised machine given that 1.5 million users operate on Tor at any given time. Ultimately the combination of all vulnerabilities and the resources required to stage such an attack is well within the reach of a nation-state or criminal organization. Responsible Disclosure Attempts: This vulnerability was originally described publicly in concept before the initial confirmation of the feasibility of the attack. Reaction to the theoretical disclosure was mocked as non-credible by Micah Lee and Andrea Shepard (individuals associated with the Tor Project Incorporated).