FBI behind Firefox zero-day compromising half of all Tor sites?

People use the Tor anonymity network to protect their privacy, but perhaps as much as half of all the Onion Router sites—and Tor Mail—are potentially compromised . . . and some hackers are pointing the finger of blame at the FBI.

Is the FBI behind a Firefox zero-day compromising half of all Tor sites?

The owner of an Irish company, Freedom Hosting, has allegedly been providing turnkey hosting services for the Darknet, or Deep Web, which is “hidden” and only accessible through Tor .onion and the Firefox browser. The FBI reportedly called Eric Eoin Marques "the largest facilitator of child porn on the planet" and wants to extradite the 28-year-old man. About that time, Freedom Hosting went down; Tor users discovered that someone had used a Firefox zero-day to deliver drive-by-downloads to anyone who accessed a site hosted by Freedom Hosting. Ofir David, of Israeli cybersecurity firm Cyberhat, told Krebs on Security, “Whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.”

If you’ve never visited the Hidden Wiki, then you should be fully aware that if you do, you will see things that can never be unseen. Freedom Hosting maintained servers for “TorMail, long considered the most secure anonymous email operation online,” wrote Daily Dot. “Major hacking and fraud forums such as HackBB; large money laundering operations; and the Hidden Wiki, which, until recently, was the de facto encyclopedia of the Dark Net; and virtually all of the most popular child pornography websites on the planet.”

But if you use Tor Browser Bundle with Firefox 17, you accessed a Freedom Hosting hidden service site since August 2, and you have JavaScript enabled, then experts suggest it’s likely your machine has been compromised. In fact, E Hacking News claimed that almost half of all Tor sites have been compromised by the FBI.

“It’s very likely that this is being operated by an LEA and not by blackhats,” according to analysis by Vlad Tsyrklevich. “It just sends identifying information to some IP in Reston, Virginia,” he told Wired. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

The Tor Project blog first reported that a large number of hidden service addresses disappeared from the Tor network around midnight on August 4. Mozilla had issued a security advisory back on June 25, which was echoed on the Tor Project blog on August 5, stating that old Tor Browser Bundles are vulnerable. “An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.”

“Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions,” the Tor Project advised. Those security precautions include keeping the Tor Browser Bundle up-to-date, disabling JavaScript as Firefox zero-days will continue to be released into the wild, and potentially switching to a “live system” like Tails. The critical security announcement also stated, “Really, switching away from Windows is probably a good security move for many reasons.”

Open Watch reported, “The execution of malicious JavaScript inside the Tor Browser Bundle, perhaps the most commonly used Tor client, comes as a surprise to many users. Previously, the browser disabled JavaScript execution by default for security purposes.” It was changed “by developers in order to make the product more useful for average internet users. As a result, however, the application has become vastly more vulnerable to attacks such as this.”

Numerous hackers, security experts and researchers are tearing apart and analyzing the malicious payload code. The FBI may not be the culprit here, but the timing of the attack which delivered “a weaponized exploit to Firefox users running Windows systems,” does seem suspicious. Of course, after all the NSA spying drama . . . people might be inclined to automatically accuse the government of more surveillance and censorship.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies