Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

Cyber Security

The maintainers of the Tails project have issued a warning that the Tor Browser that’s bundled with the operating system is unsafe to use for accessing or entering sensitive information.

“We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.),” the project said in an advisory issued this week.

Tails, short for The Amnesic Incognito Live System, is a security-oriented Debian-based Linux distribution aimed at preserving privacy and anonymity by connecting to the internet through the Tor network.

The alert comes as Mozilla on May 20, 2022 rolled out fixes for two critical zero-day flaws in its Firefox browser, a modified version of which acts as the foundation of the Tor Browser.

Tracked as CVE-2022-1802 and CVE-2022-1529, the two vulnerabilities are what’s referred to as prototype pollution that could be weaponized to gain JavaScript code execution on devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session,” the Tails advisory reads.

The bugs were demonstrated by Manfred Paul at the 15th edition of the Pwn2Own hacking contest held at Vancouver last week, for which the researcher was awarded $100,000.

However, Tor Browsers that have the “Safest” security level enabled as well as the Thunderbird email client in the operating system are immune to the flaws as JavaScript is disabled in both cases.

Also, the weaknesses don’t break the anonymity and encryption protections baked into Tor Browser, meaning that Tails users who don’t handle sensitive information can continue to use the web browser.

“This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn’t have the capacity to publish an emergency release earlier,” the developers said.