Does Firefox Tor Exploit Also Affect VPN Users?

Ray Walsh

Ray Walsh

November 30, 2016

Tor is a browser used by huge numbers of people worldwide to access the internet in a secure and private manner. Due to the fact that it provides high levels of anonymity, it is often used by criminals to buy and sell products such as drugs or weapons – transactions that would be unwise to engage in on the open internet. Now, the security that Tor provides for its users is being seriously called into question for (Windows) Firefox users. The reason? A zero-day exploit that allows Tor users to be exposed for who they really are. Importantly (though unconfirmed for now) it would appear that the vulnerability may also affect Windows Firefox users who use VPN services for security.

Tor Vulnerability

Tor Project’s ‘onion browser’ may be famous for illegal marketplaces such as Silk Road, but it is also a refuge for journalists, human rights activists, and political dissenters who use the ‘onion browser’ to avoid persecution for their views and endeavors. Now, a javascript zero-day vulnerability, which makes use of a memory corruption flaw in Firefox, has been discovered being actively exploited. The exploit means that affected Windows users may have had their identities exposed while communicating on Tor.

The code for the zero-day exploit was exposed on Tor-talk by an admin of SIGAINT – a Tor hidden service – that offers highly secure email services. The source code that appeared in the message was followed by the following text,

“This is a JavaScript exploit actively used against TorBrowser NOW.”

Tor officials have confirmed that the exploit, which makes use of the flaw in Firefox, is being utilized by unknown cyber attackers to access information that could potentially unmask Tor users. In addition, Roger Dingledine, the co-founder of Tor, confirmed that Mozilla has scrambled to fix up the previously unknown problem in the popular browser.

Long-standing Problem

The vulnerability is believed to have been in place since Firefox version 41 was released back on 22 September 2015.

tor-zero-dayTor Browser Bundle (which is itself a modified or ‘hardened’ version of the Firefox browser) is used to mask users’ IP addresses via a network of volunteer exit nodes situated all over the world. Now the Firefox exploit (which affects Firefox and Tor users) could be causing huge security problems for its users.

When the newly discovered zero-day is employed, any Windows machine that has Javascript enabled can be forced (using a memory corruption vulnerability) to make direct calls to kernel32.dll. This, in turn, allows for malicious code to be executed on the Windows platform to discover users’ identities.

“[The exploit code] consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown, but it is getting access to VirtualAlloc in kernel32.dll and goes from there.”

According to an independent security researcher who goes by the Twitter name @TheWack0lian, the exploit is very similar to the one used by the FBI during the Playpen investigation that took place back in 2013.


Who Is the Attacker?

As of yet, it is unclear whether Wack0lian’s revelation points to the code being used (once again) as part of US intelligence investigations (it seems highly likely). What is known, is that during the FBI’s case a unique identifier was being sent to a server. On that occasion, the server was located at the IP address This time, the exploit has been sending identifiable data to a server at That virtual server (which is set to port 80) is no longer responding.

The IP address in question, however, is assigned to a server belonging to French Web host OVH. This is where the story suddenly gets even more interesting for anybody who is a fan of a good mystery.

For now, the French firm has refused to issue a statement about the possible use of its server to unmask Tor users. However, OVH was recently subjected to one of the largest DDoS attacks in history, seemingly at random.

The fact that one of OVH’s virtual servers was being used as part of this exploit certainly makes one wonder if whoever performed the record-breaking 1.5 terabyte DDoS attack (using the Mirai malware), also had a deeper knowledge of the use of the French web host’s server (and its involvement with this immensely dangerous Firefox exploit).

If that is the case, it would certainly appear that not only is someone using the exploit to uncover Tor users in the wild, but someone else knows about it and is unhappy.

VPN on Windows? Stay Away from Firefox for Now

Lastly, although Mozilla is at this time rushing to fix the flaw in the Firefox browser, the fact that the source code has been published to the internet means that the exploit is now in the hands of a much wider demographic of computer users. As such, anybody who requires high levels of security is advised to use a different browser for the time being. All VPN users on Windows are also advised to stay away from Firefox until a fix is issued by Mozilla.

In addition, communicating on Tor should be kept to a minimum and Javascript should be disabled. Despite the fact that it is generally against Tor’s recommendations, don’t let this put you off, as Tor ships with Javascript enabled for most people’s ease of use. However, the setting is easy to change and under the circumstances – should be.

Edit on 1/12/2016 at 9 am to add: A patch has now been issued by Mozilla and Tor that fixes the problem, as such users should update their Firefox and Tor browsers as soon as possible in order to shore up their systems.

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
Exclusive Offer
Get NordVPN for only
Exclusive Offer
Get NordVPN for only