Hackers are actively exploiting a zero-day vulnerability in Firefox to unmask Tor Browser users, similar to what the FBI exploited during an investigation of a child pornography site.
Tor (The Onion Router) is an anonymity software that not only provides a safe heaven to human rights activists, journalists, government officials, but also is a place where drugs, assassins for hire, child pornography, and other illegal activities has allegedly been traded.
The exploit code was publicly published by an admin of the SIGAINT privacy-oriented public email service on the Tor-Talk mailing list.
The mailing list message reveals that the zero-day exploit affecting Firefox is currently being exploited against Tor Browser users by unknown attackers to leak the potentially identifying information of Tor users, officials of the anonymity service confirmed Tuesday.
Tor Browser Bundle is a repackaged version of Mozilla Firefox web browser that runs connections through the Tor anonymizing network configured to hide its user’s public IP address.
“[The exploit code] consists of one HTML and one CSS file, both pasted below and also de-obscured,” the author says. “The exact functionality is unknown, but it is getting access to VirtualAlloc in kernel32.dll and goes from there.”
Researchers also found that the exploit submits users’ machine details to 18.104.22.168 (a remote server hosted on the OVH-hosted virtual machine in France) on port 80, which is no longer responding at the time of writing.
Although security researchers are still analyzing the Tor exploit code, a disassembly of it shows the latest zero-day flaw is very similar to a separate Tor Browser exploit that emerged in 2013.
The 2013 exploit was the work of the United States FBI, which was targeting Tor users who accessed child pornography.
“So it sounds like the immediate next step is that Mozilla finishes their patch for it then…a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser,” Tor Project lead Roger Dingledine said.
The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50.