Tor users at risk of having their anonymity stripped via attacks exploiting Firefox zero-day

Wait a second… this looks familiar…

David bisson
David Bisson
@
@DMBisson

Firefox

Attackers are currently exploiting a zero-day vulnerability in the Firefox web browser to strip anonymity from Tor users.

News of the security hole first emerged on Tor Talk, a mailing list for users who are interested in onion routing. There, an admin for the privacy-centric organization SIGAINT published exploit code for the vulnerability as well as the following introduction:

“This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to ‘VirtualAlloc’ in ‘kernel32.dll’ and goes from there.”

Sign up to our free newsletter.
Security news, advice, and tips.

The code makes use of a memory corruption vulnerability in Firefox versions 45-50 to execute code on computers running Windows. Security researcher Joshua Yabut analyzed the exploit and said it’s specifically targeting a heap overflow bug to achieve remote code execution.

Upon successful exploitation, the attack sends a unique identifier about each victim’s computer to a server at 5.39.27.226, a French IP address that as of this writing was down.

TorSo what’s the big deal?

The exploit threatens the privacy of Tor users (and maybe even some Firefox users) in much the same way as a campaign created by the FBI did back in 2013. For that attack, the FBI used code to deanonymize visitors of a child abuse website and send their data to a server located at 65.222.202.54.

These two attacks aren’t that dissimilar.

In fact, a security researcher who goes by the Twitter handle @TheWack0lian told Ars Technica that the two campaigns are essentially identical:

“It’s basically almost EXACTLY the same as the payload used in 2013. It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”

Mozilla is currently working on a fix for the Firefox bug, which Tor co-founder Roger Dingledine confirmed on 29 November.

While we await a patch, Firefox users should disable JavaScript using a plugin like NoScript, and Tor users should should consider making use of privacy measures other than the Tor browser.

For instance, they could consider using a VPN, searching only via the DuckDuckGo search engine, and not employing Firefox as their web browser of choice.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

4 comments on “Tor users at risk of having their anonymity stripped via attacks exploiting Firefox zero-day”

  1. Jack

    This is a good thing, the fed spooks are going to lose this snooping hole once it's patched. For TOR users, this is great news that this vulnerability/exploit was discovered.

    1. Bob · in reply to Jack

      It's been around since 2013. This is a simple re-coding of the same vulnerability.

      The sooner it's properly fixed, the better.

  2. IanH

    I'm very happy to be known to be using Tor. I think everyone should use it. The more we fill up the snoopers' inboxes with white noise the more they might get the idea that targetted surveillance might be a better idea.

    1. kilroy · in reply to IanH

      Targeted surveillance is racist, discriminatory, prejudiced, a right-wing conspiracy, and President Trump's fault.
      Better to punish the entire population of planet Earth than to single out a single wrongdoer.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.