Stories
Slash Boxes
Comments

SoylentNews is people

Firefox Zero-Day Exploit is Being Used to Attack Tor Users

posted by janrinok on Wednesday November 30 2016, @10:32AM   Printer-friendly
from the check-your-security dept.

An Anonymous Coward writes:

Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln

"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.

Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."

http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/

Firefox 0day in the wild is being used to attack Tor users

The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.

http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/

[tor-talk] Javascript exploit

"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."

https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Firefox Zero-Day Exploit is Being Used to Attack Tor Users | Log In/Create an Account | Top | 24 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by janrinok on Wednesday November 30 2016, @12:27PM

    by janrinok (52) Subscriber Badge on Wednesday November 30 2016, @12:27PM (#434871) Journal

    The argument goes that, if you disable javascript, then your browser appears far more unique than everyone else's browser. This means that it is easier to link a specific user (while not necessarily yet knowing who he or she is) to a series of sites or activity because their browser is unique. Subsequently, if the browser is identified, then your history is more easily recoverable.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Wednesday November 30 2016, @12:37PM

    by Anonymous Coward on Wednesday November 30 2016, @12:37PM (#434875)
    Isn't it possible to lie about such things? Say you are all those things but in reality JavaScript is disabled and no media plugins actually work.

    • (Score: 0) by Anonymous Coward on Wednesday November 30 2016, @01:05PM

      by Anonymous Coward on Wednesday November 30 2016, @01:05PM (#434878)

      I'm pretty sure it is very detectable if your script that should generate certain server requests doesn't generate those server requests.

    • (Score: 4, Informative) by janrinok on Wednesday November 30 2016, @02:03PM

      by janrinok (52) Subscriber Badge on Wednesday November 30 2016, @02:03PM (#434902) Journal
      There are several different ways in which TOR is currently being probed. Browser fingerprinting is but one of them. You can always disguise the user agent string (i.e. the string that browser offers to each site in order to identify the capabilities and limitations of each browser e.g. "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0") but there is much more information [whoishostingthis.com] that can be collected by a site.

      So: the user agent string is a little muddled. But it's still useful. What can we do with it?

      We can:

      • Check the capabilities of the browser or device, and load different CSS based on the outcome;
      • Deliver custom JavaScript to one device compared with another;
      • Send an entirely different page layout to a phone, compared to a desktop computer;
      • Automatically send the correct translation of a document, based on the user agent language preference;
      • Push special offers to particular people, based on their device type or other factors;
      • Gather statistics about visitors to inform our web design and content production process, or simply measure who's hitting our site, and from which referral sources.

      Overall, we can empower our scripts to make the best choice for our visitor, based on their user agent. And we can feed that data back into a cycle of continuous improvement, analytics and other processes, like conversion optimization.

      So, although our own site does not need any other information to display correctly on your device, some sites rely on browser-provided data to give you the best user experience. Such data might include your screen size and resolution, default languages and/or fonts, etc. If you are not convinced, take a look at this site which analyses the data that your browser is currently pushing out [amiunique.org]. If I disable NoScript then I receive the following string on one of my boxes:

      However, your full fingerprint is unique among the 255178 collected so far.

      • (Score: 0) by Anonymous Coward on Thursday December 01 2016, @09:14AM

        by Anonymous Coward on Thursday December 01 2016, @09:14AM (#435351)

        Well, I'm unique at a similar level (unique among the 255876 collected so far), but looking on the breakdown it's mostly because of my language preferences. 18.27% have no JS, but 0.1% share my language preferences. Then there's my User Agent, shared by only 0.48%. I guess those two already make me unique.

        Well, I wasn't aware of that; I guess I'll edit my language preferences and install an User Agent changer.

      • (Score: 0) by Anonymous Coward on Thursday December 01 2016, @11:18AM

        by Anonymous Coward on Thursday December 01 2016, @11:18AM (#435388)

        I tried Tor Browser with JavaScript disabled. That site said "But only 1492 browsers out of the 256023 observed browsers (0.58 %) have exactly the same fingerprint as yours."

  • (Score: 3, Insightful) by FatPhil on Wednesday November 30 2016, @01:28PM

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday November 30 2016, @01:28PM (#434888) Homepage
    Only when it's a minority stance.

    The solution to that problem is not to discourage people from doing it, but to encourage more people to do it.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves