Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Firefox Privacy The Internet Communications Mozilla Network Networking Security

Firefox Zero-Day Can Be Used To Unmask Tor Browser Users (computerworld.com) 55

An anonymous reader quotes a report from Computerworld: A Firefox zero-day being used in the wild to target Tor users is using code that is nearly identical to what the FBI used in 2013 to unmask Tor-users. A Tor browser user notified the Tor mailing list of the newly discovered exploit, posting the exploit code to the mailing list via a Sigaint darknet email address. A short time later, Roger Dingledine, co-founder of the Tor Project Team, confirmed that the Firefox team had been notified, had "found the bug" and were "working on a patch." On Monday, Mozilla released a security update to close off a different critical vulnerability in Firefox. Dan Guido, CEO of TrailofBits, noted on Twitter, that "it's a garden variety use-after-free, not a heap overflow" and it's "not an advanced exploit." He added that the vulnerability is also present on the Mac OS, "but the exploit does not include support for targeting any operating system but Windows." Security researcher Joshua Yabut told Ars Technica that the exploit code is "100% effective for remote code execution on Windows systems." "The shellcode used is almost exactly the shellcode of the 2013 one," tweeted a security researcher going by TheWack0lian. He added, "When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a 3-year-old post." He's referring to the 2013 payload used by the FBI to deanonymize Tor-users visiting a child porn site. The attack allowed the FBI to tag Tor browser users who believed they were anonymous while visiting a "hidden" child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users' identities via their ISPs.
This discussion has been archived. No new comments can be posted.

Firefox Zero-Day Can Be Used To Unmask Tor Browser Users

Comments Filter:
  • Any tor utilizing application's zero-day bugs can be used to unmask that tor utilizing app's users.
    • by DarkOx ( 621550 )

      Right, at the very least you need to install a perfectly clean VM taking all the default install options on the OS so you don't do anything that might be identifiable or make it more unique. Make sure you do not enable any of the host integration stuff, no copy paste, don't install the VMware tools, ensure all the host isolation stuff is on, don't even allow the power status or system clock to the VM. Only then do you install tor. After that take a snapshot. Be sure to revert to that snapshot each and e

      • by Anonymous Coward

        Right, at the very least you need to install a perfectly clean VM taking all the default install options on the OS so you don't do anything that might be identifiable or make it more unique. Make sure you do not enable any of the host integration stuff, no copy paste, don't install the VMware tools, ensure all the host isolation stuff is on, don't even allow the power status or system clock to the VM. Only then do you install tor. After that take a snapshot. Be sure to revert to that snapshot each and ever time you use the VM before you do any tor browsing! Start over and make a fresh build every few months as you can't trust upgrade processes won't leave something finger-printable and using a browser even a few months old might separate you from the masses somewhat now that most of the world auto updates.

        Or you can skip all that bullshit and just boot a TAILS [boum.org] CD.

      • by TheCarp ( 96830 )

        That is not the very least. That is a whole bunch of extra work when entire distributions exist just to obviate the need for this. Take a look at tails.

        It is, of course, recommended to put it on a usb stick and clean boot hardware off the stick to use it; however, there is nothing stopping you from bringing it up in a VM if you are ok with the trade offs.

        Accomplishes the same thing, for less work, and with a much larger already setup base which will be identical to other users, in ways that increase the wor

        • by DarkOx ( 621550 )

          I am sorry I can't agree. There are going to be ALOT more people running a stock Windows 8.1 or stock Ubuntu than any of the 'privacy' distributions, all of which almost certainly can be finger printed. If you want to blend into the heard I would certainly pick on of those two platforms.

          I like the idea of running tor an a separate VM from the one you do your browsing on.

          • by TheCarp ( 96830 )

            > I like the idea of running tor an a separate VM from the one you do your browsing on.

            It is a proxy and most of the attack vectors attack the end client, not the network itself.... the tor client needs internet access, the client behind it can only harm itself with direct acces.... so don't give it...not even dns, nothing. Just port 9050 alone and only one responding IP.

            Maybe drop another interface on there and log all the non-port 9050 traffic as well :)

  • by Anonymous Coward

    Use NoScript and forbid scripts globally and this will mitigate the exploit.

    • by sims 2 ( 994794 )

      IKR having scripting turned on by default is one of the dumbest things they have ever done.

      I remember back when it was disabled by default and they said not to turn it on because it was a security risk.

    • Use NoScript and forbid scripts globally and this will mitigate the exploit.

      Or I think uMatrix [github.com] will work? (howto [adamantine.me])

    • by AHuxley ( 892839 )
      What does a whitelist do per site with the code?
      Does the code run from the whitelisted site visited or its on a third party site that expects a browser to allow it to work?
  • The bug can be used to run any code of an attacker's choosing.

    • by AHuxley ( 892839 )
      Whats the origin story? Gov code used by gov/s again? Or old gov code thats been found and been reused by someone/anyone?
    • by zifn4b ( 1040588 )

      The bug can be used to run any code of an attacker's choosing.

      Funny thing about this, the security conscious IT department of the company I work for insists that we all ought to prefer Firefox yet all the developers for the most part use Chrome. Bwah hah hah hah.

  • by Anonymous Coward

    Again a Windows and javascript explot. Use linux or bsd, and disable javascript from the config.

  • by Giorgio Maone ( 913745 ) on Wednesday November 30, 2016 @08:17PM (#53398179) Homepage

    Great work by Mozilla and the [mozilla.org]Tor Project [torproject.org] on the lighting fast (

    And yes, NoScript [noscript.net] did protect against this (the Tor Browser has it built-in, for users who know what they're doing).

    • by WD ( 96061 )

      And yet the fix that they chose to implement STILL causes Firefox to crash. Just not in an exploitable manner. Seems kind of non-ideal to me.

      • by Anonymous Coward

        You're always welcome to submit patches yourself. -PCP

  • It probably seems crazy to tell you not to use the official darknet browser on a darknet, but sadly the Tor browser is the top attack vector used by law enforcement against darknet users. It's the biggest target by far. You have to roll your own darknet browser. It's a PITA but otherwise, every exploit in the TLA's books is going to be aimed at you. Also it should go without saying that your browser should be running in a Linux VM whose state is discarded on shutdown, and ideally you should have a firewall setup that blocks all outgoing traffic not going to the darknet proxy address.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...