1. 4

  2. 4

    So supposedly a website running as a Tor hidden service was compromised and used to send a Firefox 0-day exploit to Windows users by way of Javascript. The vulnerability is in Firefox 17 and the exploit makes the host computer make an HTTP request out to a website and passes it a random GUID. Since that HTTP call running from the exploit would get made outside of Firefox, it would bypass Tor if the host was setup to only proxy Firefox through Tor (as Tor’s browser bundle is). By doing that, it allowed law enforcement (or whomever is responsible for this) to match up the random GUID shown to a Tor user with their actual public IP used to make the HTTP request. Supposedly that was or is being used to go after people using Tor to distribute child porn, which Freedom Hosting (a Tor hidden service hosting provider) was hosting a lot of, as the founder of Freedom Hosting was recently arrested.

    Jacob says they’re working with Mozilla’s security team to figure out where the Firefox vulnerability is. In the mean time, disable Javascript in Firefox.

    1. 1

      Of note, Firefox 17 is the version used in the Tor Browser Bundle.

      1. 1

        There was an announcement made on the tor-talk mailing list discussing the vulnerability.