Tor users at risk of having their anonymity stripped via attacks exploiting Firefox zero-day

Wait a second… this looks familiar…

David Bisson
@DMBisson

Attackers are currently exploiting a zero-day vulnerability in the Firefox web browser to strip anonymity from Tor users.

News of the security hole first emerged on Tor Talk, a mailing list for users who are interested in onion routing. There, an admin for the privacy-centric organization SIGAINT published exploit code for the vulnerability as well as the following introduction:

“This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to ‘VirtualAlloc’ in ‘kernel32.dll’ and goes from there.”

Sign up to our newsletter
Security news, advice, and tips.

The code makes use of a memory corruption vulnerability in Firefox versions 45-50 to execute code on computers running Windows. Security researcher Joshua Yabut analyzed the exploit and said it’s specifically targeting a heap overflow bug to achieve remote code execution.

Upon successful exploitation, the attack sends a unique identifier about each victim’s computer to a server at 5.39.27.226, a French IP address that as of this writing was down.

So what’s the big deal?

The exploit threatens the privacy of Tor users (and maybe even some Firefox users) in much the same way as a campaign created by the FBI did back in 2013. For that attack, the FBI used code to deanonymize visitors of a child abuse website and send their data to a server located at 65.222.202.54.

These two attacks aren’t that dissimilar.

In fact, a security researcher who goes by the Twitter handle @TheWack0lian told Ars Technica that the two campaigns are essentially identical:

“It’s basically almost EXACTLY the same as the payload used in 2013. It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”

Mozilla is currently working on a fix for the Firefox bug, which Tor co-founder Roger Dingledine confirmed on 29 November.

While we await a patch, Firefox users should disable JavaScript using a plugin like NoScript, and Tor users should should consider making use of privacy measures other than the Tor browser.

For instance, they could consider using a VPN, searching only via the DuckDuckGo search engine, and not employing Firefox as their web browser of choice.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

4 comments on “Tor users at risk of having their anonymity stripped via attacks exploiting Firefox zero-day”

  1. This is a good thing, the fed spooks are going to lose this snooping hole once it's patched. For TOR users, this is great news that this vulnerability/exploit was discovered.

  2. I'm very happy to be known to be using Tor. I think everyone should use it. The more we fill up the snoopers' inboxes with white noise the more they might get the idea that targetted surveillance might be a better idea.

    1. Targeted surveillance is racist, discriminatory, prejudiced, a right-wing conspiracy, and President Trump's fault.
      Better to punish the entire population of planet Earth than to single out a single wrongdoer.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.