The warning came through a post on the tor-talk mailing list, which included the exploit (one HTML and one CSS file).
Tor Project leader Roger Dingledine acknowledged the post, noted that the Firefox team is already working on a patch, and once it is done, the Tor Project will see if the Tor Browser needs to be patched, too.
The Tor Browser is based on the Firefox ESR browser – its latest version is based on version 45 of Firefox ESR.
A security researcher who goes by the Twitter handle @TheWack0lian disassembled the exploit and pointed out that it’s very similar to the exploit planted by the FBI in 2013 on Freedom Hosting. The exploit was used to discover the identity of the users of the hidden services hosted by that provider, as it forced their browser to send information about the device they use (hostname, MAC address, IP address) to a server controlled by the bureau.
In this latest exploit, the information was being sent through port 80 to a server located at 220.127.116.11 – an IP address that is assigned to OVH, a French ISP and web hosting company.
Trail of Bits CEO says that the exploit exploits a use-after-free vulnerability in the Firefox’s SVG parser, and ultimately allows the attackers to perform remote code execution on Windows systems, i.e. to plant software that will force the browser to “identify” the machine.
He also says that while the vulnerability is present on macOS, the exploit does not include support for targeting any operating system but Windows.
While the exploit was likely meant to target only Tor Browser users, the fact that it has now been made public means that other attackers could soon leverage it – if they aren’t using it already.