Tor is a browser used by huge numbers of people worldwide to access the internet in a secure and private manner. Due to the fact that it provides high levels of anonymity, it is often used by criminals to buy and sell products such as drugs or weapons – transactions that would be unwise to engage in on the open internet. Now, the security that Tor provides for its users is being seriously called into question for (Windows) Firefox users. The reason? A zero-day exploit that allows Tor users to be exposed for who they really are. Importantly (though unconfirmed for now) it would appear that the vulnerability may also affect Windows Firefox users who use VPN services for security.
The code for the zero-day exploit was exposed on Tor-talk by an admin of SIGAINT – a Tor hidden service – that offers highly secure email services. The source code that appeared in the message was followed by the following text,
Tor officials have confirmed that the exploit, which makes use of the flaw in Firefox, is being utilized by unknown cyber attackers to access information that could potentially unmask Tor users. In addition, Roger Dingledine, the co-founder of Tor, confirmed that Mozilla has scrambled to fix up the previously unknown problem in the popular browser.
The vulnerability is believed to have been in place since Firefox version 41 was released back on 22 September 2015.
Tor Browser Bundle (which is itself a modified or ‘hardened’ version of the Firefox browser) is used to mask users’ IP addresses via a network of volunteer exit nodes situated all over the world. Now the Firefox exploit (which affects Firefox and Tor users) could be causing huge security problems for its users.
“[The exploit code] consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown, but it is getting access to VirtualAlloc in kernel32.dll and goes from there.”
According to an independent security researcher who goes by the Twitter name @TheWack0lian, the exploit is very similar to the one used by the FBI during the Playpen investigation that took place back in 2013.
Who Is the Attacker?
As of yet, it is unclear whether Wack0lian’s revelation points to the code being used (once again) as part of US intelligence investigations (it seems highly likely). What is known, is that during the FBI’s case a unique identifier was being sent to a server. On that occasion, the server was located at the IP address 184.108.40.206. This time, the exploit has been sending identifiable data to a server at 220.127.116.11. That virtual server (which is set to port 80) is no longer responding.
The IP address in question, however, is assigned to a server belonging to French Web host OVH. This is where the story suddenly gets even more interesting for anybody who is a fan of a good mystery.
For now, the French firm has refused to issue a statement about the possible use of its server to unmask Tor users. However, OVH was recently subjected to one of the largest DDoS attacks in history, seemingly at random.
The fact that one of OVH’s virtual servers was being used as part of this exploit certainly makes one wonder if whoever performed the record-breaking 1.5 terabyte DDoS attack (using the Mirai malware), also had a deeper knowledge of the use of the French web host’s server (and its involvement with this immensely dangerous Firefox exploit).
If that is the case, it would certainly appear that not only is someone using the exploit to uncover Tor users in the wild, but someone else knows about it and is unhappy.
VPN on Windows? Stay Away from Firefox for Now
Lastly, although Mozilla is at this time rushing to fix the flaw in the Firefox browser, the fact that the source code has been published to the internet means that the exploit is now in the hands of a much wider demographic of computer users. As such, anybody who requires high levels of security is advised to use a different browser for the time being. All VPN users on Windows are also advised to stay away from Firefox until a fix is issued by Mozilla.
Edit on 1/12/2016 at 9 am to add: A patch has now been issued by Mozilla and Tor that fixes the problem, as such users should update their Firefox and Tor browsers as soon as possible in order to shore up their systems.