Firefox security flaw exposes Tor users' IP addresses

New Firefox exploit targeting Tor users looks a lot like an old one...

A new exploit targeting users of Tor running Firefox has been uncovered - and the exploit, published yesterday, bears a remarkable similarity to a 2013 exploit used by the FBI in a sting operation.

It exploits a heap-overflow bug and enables malicious code to be run on targeted Windows PCs. Published on the Tor Project website, the flaw was verified by Tor co-founder Roger Dingledine. It consists of one HTML and one CSS file.

Dingledine confirmed that Mozilla is already working on a patch to fix the flaws. "It sounds like the immediate next step is that Mozilla finishes their patch for it; then the step after that is a quick Tor Browser update. And somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," he added.

According to security specialists, the payload of the exploit is almost identical to one used by the FBI in 2013 to de-anonymise and identify the IP addresses of people visiting a child-rape website. "When I first noticed the old shellcode was so similar, I had to double check the dates to make sure I wasn't looking at a three-year-old post," suggested one security specialist.

The exploit takes advantage of a heap-overflow flaw, but requires Javascript to be enabled on the web browser. It is always recommended to switch Javascript off when using Tor if maximum security is required because of the security risks.

Currently, the exploit code points to IP address 5.39.27.226, which is a server hosted by OVH in France, which makes it unlikely that the FBI (or any other US agency) is behind it.

The new flaw comes just days after Mozilla patched another critical flaw that could enable an attacker to take control of a targeted PC - and that came just two weeks after another major patch for the open-source web browser.

In an advisory published this week along with the patch, the Foundation admitted that the flaw "can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them."