Firefox 0-day exploited in the wild to unmask Tor users

An anonymous user of the SIGAINT darknet email service has revealed the existence of a JavaScript exploit that is apparently being actively used to de-anonymize Tor Browser users.

Firefox 0-day exploited in the wild to de-anonymize Tor Browser users

The warning came through a post on the tor-talk mailing list, which included the exploit (one HTML and one CSS file).

Tor Project leader Roger Dingledine acknowledged the post, noted that the Firefox team is already working on a patch, and once it is done, the Tor Project will see if the Tor Browser needs to be patched, too.

The Tor Browser is based on the Firefox ESR browser – its latest version is based on version 45 of Firefox ESR.

A security researcher who goes by the Twitter handle @TheWack0lian disassembled the exploit and pointed out that it’s very similar to the exploit planted by the FBI in 2013 on Freedom Hosting. The exploit was used to discover the identity of the users of the hidden services hosted by that provider, as it forced their browser to send information about the device they use (hostname, MAC address, IP address) to a server controlled by the bureau.

In this latest exploit, the information was being sent through port 80 to a server located at – an IP address that is assigned to OVH, a French ISP and web hosting company.

Trail of Bits CEO says that the exploit exploits a use-after-free vulnerability in the Firefox’s SVG parser, and ultimately allows the attackers to perform remote code execution on Windows systems, i.e. to plant software that will force the browser to “identify” the machine.

He also says that while the vulnerability is present on macOS, the exploit does not include support for targeting any operating system but Windows.

While the exploit was likely meant to target only Tor Browser users, the fact that it has now been made public means that other attackers could soon leverage it – if they aren’t using it already.

Until Mozilla comes up with a fix, disabling JavaScript on Firefox should protect users, but temporarily using another browser is also a good idea.

Tor Browser users can do the same, although the Tor Project has several reasons for why it keeps JavaScript enabled by default on it. Ultimately, though, they advise users to make their own choice regarding JavaScript, depending on their personal security, anonymity, and usability priorities.

Don't miss