Inside the Tor exploit

Inside the Tor exploit

Summary: Some of the people who were most concerned about Internet privacy, and were using the Tor anonymous Internet service to protect it, may have been the most exposed.


Everyone agrees that child pornography is evil. Along the way to tracking down Eric Eoin Marques, whom the FBI has called "the largest facilitator of child porn on the planet,"  the government agency, with the possible assistance of the NSA, broke into the Tor anonymous network, injected JavaScript malware into the Tor specific version of Firefox, and obtained the Internet addresses of untold numbers of Tor users.

Here's how it was done.

Tor, which is recommended by the Electronic Frontier Foundation (EFF), for helping you to "protect your anonymity while using the Internet" is made up of two parts: Software and the Tor network.

The software's, known as the Tor Browser Bundle, main component is a customized version of the Mozilla Firefox Extended Support Release (ESR). It can be used on Linux, Mac OS, and Windows. 

The network is made up of Internet routers ran by volunteers who believe in the value of Internet anoymoity. These routers are also known as relays.

When you first use Tor, your traffic is encrypted and bounced from one Tor relay to another. (Credit: EFF)

When you start using Tor, your Internet traffic, instead of going directly to the Web site you want to visit, is encrypted and goes to a Tor relay. Once there your traffic goes from one relay to another and then finally re-enters the ordinary Internet and arrives at your destination. The return traffic then follows a similar path back to you.

When you move to another site, your traffic takes a new encrypted path over the Tor network. (Credit: EFF)

If you then move on to another site, a new path is made over the available Tor relays to take you to your next Web-site. What all this means is that if someone tries to back track you to your home IP address they'll only get as far as the last Tor relay before losing you.

By using both encryption and multiple anonymous links, Tor was designed both to prevent your traffic from being read and to make it impossible to use traffic analysis to determine what you were doing on the Web.

Some of the Tor routers are servers as well, which can only be reached over Tor. These are known as "hidden services."

According to Tor, with a hidden service it's "possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor 'rendezvous points,' other Tor users can connect to these hidden services, each without knowing the other's network identity. This hidden service functionality could allow Tor users to set up a website where people publish material without worrying about censorship. Nobody would be able to determine who was offering the site, and nobody who offered the site would know who was posting to it." In short, while Tor offered anonymity to its users, Tor's hidden services offered anonymity to relay owners.

That was the theory anyway. It didn't work out that way.

Tor states that there is "There is no central repository nor registry of addresses" of these hidden service relays. "The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."

That's pretty much what happened, except it was malicous bit of JavaScript. 

The FBI, possibly with the assistant of the NSA and the private security contractor SAIC, broke into hidden service servers and planted JavaScript malware on them. Among other hidden services sites it did this with was Marques' Freedom Hosting  server. Once there,  the sites infected any visitors using the TBB Firefox browser.

This exploit used a known and patched Firefox security hole. Mozilla had fixed this hole in its latest browser, Firefox 21, and Firefox ESR 17.0.7.  Not all versiosn of Firefox shipping with the TBB, however, had been patched, according to Daniel Veditz, Mozilla's security lead.

The malware seems to have been in place for several weeks. While the exploit could have been used to do anything up to and including taking over a system, all it did was "collect the hostname and MAC [media access control] address of the victim computer [and] send that to a remote Web-server over a non-Tor connection, and then crash or exit."

Specifically, the attack targeted only Windows TBB users. Therefore, Roger Dingledine, Tor's creator and project leader, concluded it's "reasonable to conclude that the attacker now has a list of vulnerable [Windows] Tor users who visited those hidden services."

The NSA and SAIC enters the picture claims Baneki Privacy Labs, a tech activist group, and Cryptocloud, a secure networking company, because the JavaScript exploit forwarded users' data to a Web server with an IP address that was managed by SAIC for the NSA. Since the NSA"s mission is to monitor foreign communications and Marques's Freedom Hosting site seems to have been located in Ireland, it makes perfect sense for the NSA to have been involved.

For Tor users, the following versions of TBB, include the patched browser: 2.3.25-10, 2.4.15-alpha-1; 2.4.15-beta-1 and 3.0alpha2. TBB users can determine if they have an up-to-date browser by  clicking Help and selecting About Firefox. Whether after this episode anyone will trust Tor for "anonymous" Web-browsing is another question.

In the meantime, if you've been using the Windows version of TBB recently on hidden services servers, it's a pretty safe bet that your particular network address is now in the hands of the FBI. This, in turn, means that it's only a matter of time and effort for your real-world address to be revealed as well.

This is a classic privacy dilemma. On the one hand, child abusers may soon find themselves facing jail time. On the other hand, everyone who used hidden services for a legitimate purpose, say tracking human rights abuses in the Syria civil war, have also had their data collected. The only thing we can say for certain is that Tor's reputation, which had been as the Gold-standard of Internet anonymity, has been tarnished.

Related Stories:

Topics: Security, Browser, Networking, Privacy, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • My take,

    I wouldn't trust the patched versions either. If the spooks want in, they get in, it's just that simple.
  • What does this mean?

    All the disidents the State Department has been telling to use TOR are going to be arrested and executed anyway?
    • Yes because the nsa and fbi have decided to give

      the collected data in unfiltered form to Syria, north Korea, and the chicoms. Are you really worried about that or more concerned that another putz like Snowden will delude himself into thinking that'd be a great idea?
      Johnny Vegas
      • Perhaps the whole internet was a trap created by US Empire

        1. Control all people all over the world
        2. increase fear and uncertainty
        3. increase American "dream": "freedom" (of corporate)
        4. Corporate dictatorship, whole world as home market for American big corporate
        5. Trying to make all people of the world look like, sound, think like American

        The idealism of internet died in summer 2013. It's just the same old b--sh..t...
  • Time to change the MAC address

    Next time to be safe, change your MAC address
    • That's useless online.

      Changing MAC adress is pointless outside local networks.
  • Anoymoity?

    This was an interesting article, but seriously, "anoymoity"?
    • anonymity

      sjvn never checks his spelling and so is atrocious to read. It's better to just skip over it and let it go.
      • He uses those fancy free word processors

        Couldn't be bothered to turn on any of the features though
  • In the Summary...

    "and we're using the Tor anonymous Internet service..." Hmmm. Freudian slip?
    >> "and were using the Tor anonymous Internet service..."
    Too-Tired Techie
    • we're were

      his mind types light years ahead of his fingers and they therefore trip all over themselves in their effort to keep up with the unending flow of words spewing from his diseased mind, hence the resulting typos.
  • Just switch to the latest version...

    of Tor Browser Bundle. Is that easy.
    • If they got into one

      they can get into another. Anyone that thinks electronic transmissions can't be traced may want to reconsider their sanity
  • Fascist entrapment

    The corporate fascists like the Fan Belt Inspectors are experts at planting evidence in order to frame someone and take them down. Many freedom fighters are having kiddie porn malware planted on their 'puters, then brought down by the Corporate Fascist 4th Reich. Meanwhile, the criminals in government run amuck.
    Classic Nazi tactics were/are; 1) IDENTIFY,2) ISOLATE, 3) EXTERMINATE...This is how they liquidated the Jews. Phase I is complete; you have been identified. Now comes Isolate, then Terminate...Mission Complete..The good guys lost.
  • Rumors as facts

    As of yet, there has been no confirmation that Eric Eoin Marques is in fact the owner of Freedom Hosting. There is most assuredly no direct confirmation that the exploit was inserted by the FBI/NSA.

    The statement, "Not all versiosn of Firefox shipping with the TBB, however, had been patched," is misleading. The only versions that have not been patched are those users who failed to update their TBB over a month ago. Everyone running the most current version of the TBB was safe an not affected.

    "The malware seems to have been in place for several weeks." I'd love to know the source of that statement, as everyone else is saying it was inserted/detected when Freedom Hosting went down and then came back up.

    "The only thing we can say for certain is that Tor's reputation, which had been as the Gold-standard of Internet anonymity, has been tarnished." Tor is working perfectly, and is not the problem here. Someone, *allegedly* the FBI, gained physical access to the Freedom Hosting servers, and then inserted malicious javascript that exploited a known vulnerabilty that was *patched* more than a month ago.

    Tor itself has *not* been compromised in any way. Only people who failed to update their Tor Browser were at risk. How did they find Marques, if in fact he is the owner of FH? The evidence points to his use of BitCoins, money transfers and bank accounts. Not any vulnerability in Tor.
  • security is always layered-Only the dumbest wouldn't layer

    The points that this article fails to point out are -

    1. The Tor Browser Bundle ships with noscript. while the default is set to "allow scripts globally" , anyone with a little brains will turn noscript on. which in turn prevents the execution of the malicious java script.

    2. A good % of users of Tor use TAILS linux. So this is a second group that isn't impacted by this security hole.

    3.If revelation of your identity means death or even a beating then you will be smart enough to know how to use tools like macchanger.

    So my conclusion the only ones caught were the least tech savvy ones using windows. My guess is that it isn't more than a hand full of persons.