Here's how it was done.
The network is made up of Internet routers ran by volunteers who believe in the value of Internet anoymoity. These routers are also known as relays.
When you start using Tor, your Internet traffic, instead of going directly to the Web site you want to visit, is encrypted and goes to a Tor relay. Once there your traffic goes from one relay to another and then finally re-enters the ordinary Internet and arrives at your destination. The return traffic then follows a similar path back to you.
If you then move on to another site, a new path is made over the available Tor relays to take you to your next Web-site. What all this means is that if someone tries to back track you to your home IP address they'll only get as far as the last Tor relay before losing you.
By using both encryption and multiple anonymous links, Tor was designed both to prevent your traffic from being read and to make it impossible to use traffic analysis to determine what you were doing on the Web.
Some of the Tor routers are servers as well, which can only be reached over Tor. These are known as "hidden services."
According to Tor, with a hidden service it's "possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor 'rendezvous points,' other Tor users can connect to these hidden services, each without knowing the other's network identity. This hidden service functionality could allow Tor users to set up a website where people publish material without worrying about censorship. Nobody would be able to determine who was offering the site, and nobody who offered the site would know who was posting to it." In short, while Tor offered anonymity to its users, Tor's hidden services offered anonymity to relay owners.
That was the theory anyway. It didn't work out that way.
Tor states that there is "There is no central repository nor registry of addresses" of these hidden service relays. "The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."
This exploit used a known and patched Firefox security hole. Mozilla had fixed this hole in its latest browser, Firefox 21, and Firefox ESR 17.0.7. Not all versiosn of Firefox shipping with the TBB, however, had been patched, according to Daniel Veditz, Mozilla's security lead.
The malware seems to have been in place for several weeks. While the exploit could have been used to do anything up to and including taking over a system, all it did was "collect the hostname and MAC [media access control] address of the victim computer [and] send that to a remote Web-server over a non-Tor connection, and then crash or exit."
Specifically, the attack targeted only Windows TBB users. Therefore, Roger Dingledine, Tor's creator and project leader, concluded it's "reasonable to conclude that the attacker now has a list of vulnerable [Windows] Tor users who visited those hidden services."
For Tor users, the following versions of TBB, include the patched browser: 2.3.25-10, 2.4.15-alpha-1; 2.4.15-beta-1 and 3.0alpha2. TBB users can determine if they have an up-to-date browser by clicking Help and selecting About Firefox. Whether after this episode anyone will trust Tor for "anonymous" Web-browsing is another question.
In the meantime, if you've been using the Windows version of TBB recently on hidden services servers, it's a pretty safe bet that your particular network address is now in the hands of the FBI. This, in turn, means that it's only a matter of time and effort for your real-world address to be revealed as well.
This is a classic privacy dilemma. On the one hand, child abusers may soon find themselves facing jail time. On the other hand, everyone who used hidden services for a legitimate purpose, say tracking human rights abuses in the Syria civil war, have also had their data collected. The only thing we can say for certain is that Tor's reputation, which had been as the Gold-standard of Internet anonymity, has been tarnished.