"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.
Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."
http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]
(Score: 2) by janrinok on Wednesday November 30 2016, @12:27PM
The argument goes that, if you disable javascript, then your browser appears far more unique than everyone else's browser. This means that it is easier to link a specific user (while not necessarily yet knowing who he or she is) to a series of sites or activity because their browser is unique. Subsequently, if the browser is identified, then your history is more easily recoverable.
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @12:37PM
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @01:05PM
I'm pretty sure it is very detectable if your script that should generate certain server requests doesn't generate those server requests.
(Score: 4, Informative) by janrinok on Wednesday November 30 2016, @02:03PM
So, although our own site does not need any other information to display correctly on your device, some sites rely on browser-provided data to give you the best user experience. Such data might include your screen size and resolution, default languages and/or fonts, etc. If you are not convinced, take a look at this site which analyses the data that your browser is currently pushing out [amiunique.org]. If I disable NoScript then I receive the following string on one of my boxes:
(Score: 0) by Anonymous Coward on Thursday December 01 2016, @09:14AM
Well, I'm unique at a similar level (unique among the 255876 collected so far), but looking on the breakdown it's mostly because of my language preferences. 18.27% have no JS, but 0.1% share my language preferences. Then there's my User Agent, shared by only 0.48%. I guess those two already make me unique.
Well, I wasn't aware of that; I guess I'll edit my language preferences and install an User Agent changer.
(Score: 0) by Anonymous Coward on Thursday December 01 2016, @11:18AM
I tried Tor Browser with JavaScript disabled. That site said "But only 1492 browsers out of the 256023 observed browsers (0.58 %) have exactly the same fingerprint as yours."
(Score: 3, Insightful) by FatPhil on Wednesday November 30 2016, @01:28PM
The solution to that problem is not to discourage people from doing it, but to encourage more people to do it.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves