Users of online anonymity network Tor are facing a new attack that uses nearly identical code to a Firefox exploit used by the FBI in 2013.
While the attacks are currently targeting Tor users, the publication of the exploit code allows anyone to use it, potentially putting all Firefox users at risk from new attacks. The Tor Browser is based on a version of Firefox and the two often share common vulnerabilities.
Security researcher and CEO of TrailofBits, Dan Guido, notes that macOS is also vulnerable. However, the exploit currently only targets Firefox on Windows.
A researcher going by the @TheWack0lian handle on Twitter has analyzed the exploit and says it is virtually identical to one that the FBI admitted to using in 2013 to unmask visitors to a dark-web child-abuse site hosted on Freedom Hosting.
“When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn’t looking at a three-year-old post,” TheWack0lian wrote.
The FBI’s 2013 malware was designed to send the user’s host name and MAC address to a server hosted on a different IP address to the new attack. According to TheWack0lian, the new malware calls send a unique identifier to a server at 126.96.36.199, which is assigned to French ISP OVH but that address currently isn’t responding.
To some, this connection to a French address throws into question any suspicion that the new malware is linked to an FBI operation.
According to privacy advocate Christopher Soghoian: “The Tor malware calling home to a French IP address is puzzling, though I’d be surprised to see a US federal judge authorize that.”
In a series of posts on Twitter, Guido commented that this exploit is not particularly sophisticated and would be more difficult to exploit on Chrome and Edge due to memory partitioning, which Firefox lacks.
“Final thoughts: the Tor Browser Bundle is unable to protect those who need it most. If you rely on it, strongly reconsider your choices,” Guido wrote.