Attackers are currently exploiting a zero-day vulnerability in the Firefox web browser to strip anonymity from Tor users.
News of the security hole first emerged on Tor Talk, a mailing list for users who are interested in onion routing. There, an admin for the privacy-centric organization SIGAINT published exploit code for the vulnerability as well as the following introduction:
The code makes use of a memory corruption vulnerability in Firefox versions 45-50 to execute code on computers running Windows. Security researcher Joshua Yabut analyzed the exploit and said it’s specifically targeting a heap overflow bug to achieve remote code execution.
Upon successful exploitation, the attack sends a unique identifier about each victim’s computer to a server at 220.127.116.11, a French IP address that as of this writing was down.
So what’s the big deal?
The exploit threatens the privacy of Tor users (and maybe even some Firefox users) in much the same way as a campaign created by the FBI did back in 2013. For that attack, the FBI used code to deanonymize visitors of a child abuse website and send their data to a server located at 18.104.22.168.
These two attacks aren’t that dissimilar.
In fact, a security researcher who goes by the Twitter handle @TheWack0lian told Ars Technica that the two campaigns are essentially identical:
“It’s basically almost EXACTLY the same as the payload used in 2013. It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”
Mozilla is currently working on a fix for the Firefox bug, which Tor co-founder Roger Dingledine confirmed on 29 November.
For instance, they could consider using a VPN, searching only via the DuckDuckGo search engine, and not employing Firefox as their web browser of choice.