Attackers wield Firefox exploit to uncloak anonymous Tor users

Attackers exploited a recently patched vulnerability in the Firefox browser to uncloak users of the Tor anonymity service, and the attack code is now publicly circulating online. While the exploit was most likely designed to identify people alleged to have frequented a child porn forum recently targeted by the FBI, anonymity advocates say the code could be used against almost any Tor user.

A piece of malicious JavaScript was found embedded in webpages delivered by Freedom Hosting, a provider of "hidden services" that are available only to people surfing anonymously through Tor. The attack code exploited a memory-management vulnerability, forcing Firefox to send a unique identifier to a third-party server using a public IP address that can be linked back to the person's ISP. The exploit contained several hallmarks of professional malware development, including "heap spraying" techniques to bypass Windows security protections and the loading of executable code that prompted compromised machines to send the identifying information to a server located in Virginia, according to an analysis by researcher Vlad Tsrklevich.

Discovery of the exploit came as the FBI reportedly sought the extradition of Freedom Host founder on child porn charges. Word of 28-year-old Eric Eoin Marques's arrest also came as members of the Tor Project reported the disappearance of a "large number" of hidden service addresses used by Freedom Hosting. The confluence of the three events has prompted speculation that the de-anonymizing exploit is the work of the FBI or another organized group targeting child pornographers.

Read 4 remaining paragraphs | Comments