Firefox zero-day: Mozilla races to patch bug used to attack Tor browser users

Unknown attackers are exploiting a Firefox zero-day vulnerability to grab details about Tor Browser users.


While the attacks are currently targeting Tor users, the publication of the exploit code allows anyone to use it, potentially putting all Firefox users at risk.

Image: Mozilla

Users of online anonymity network Tor are facing a new attack that uses nearly identical code to a Firefox exploit used by the FBI in 2013.

Tor co-founder Roger Dingledine says Mozilla is working on a patch for Firefox to counter the newfound JavaScript exploit, which was published on Tor's official website as part of a warning that Tor users are under attack now.

Someone using the Tor-hidden email service Sigaint wrote on Tor's mailing list: "This is a JavaScript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured."

How malware writers' laziness is helping one startup predict attacks before they even happen

Siemens is impressed at what Israeli security startups CyActive can do – developing ways of mitigating attacks before they can take place.

Read More

While the attacks are currently targeting Tor users, the publication of the exploit code allows anyone to use it, potentially putting all Firefox users at risk from new attacks. The Tor Browser is based on a version of Firefox and the two often share common vulnerabilities.

Mozilla is tracking the bug, which means a fix should be on its way soon. Early analyses suggest it requires JavaScript to be enabled in the browser.

Security researcher and CEO of TrailofBits, Dan Guido, notes that macOS is also vulnerable. However, the exploit currently only targets Firefox on Windows.

A researcher going by the @TheWack0lian handle on Twitter has analyzed the exploit and says it is virtually identical to one that the FBI admitted to using in 2013 to unmask visitors to a dark-web child-abuse site hosted on Freedom Hosting.

"When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a three-year-old post," TheWack0lian wrote.

The FBI's 2013 malware was designed to send the user's host name and MAC address to a server hosted on a different IP address to the new attack. According to TheWack0lian, the new malware calls send a unique identifier to a server at, which is assigned to French ISP OVH but that address currently isn't responding.

To some, this connection to a French address throws into question any suspicion that the new malware is linked to an FBI operation.

According to privacy advocate Christopher Soghoian: "The Tor malware calling home to a French IP address is puzzling, though I'd be surprised to see a US federal judge authorize that."

In a series of posts on Twitter, Guido commented that this exploit is not particularly sophisticated and would be more difficult to exploit on Chrome and Edge due to memory partitioning, which Firefox lacks.

"Final thoughts: the Tor Browser Bundle is unable to protect those who need it most. If you rely on it, strongly reconsider your choices," Guido wrote.

Read more about malware