There's a zero-day exploit in the wild that's being used to execute malicious code on the computers of people using Tor and possibly other users of the Firefox browser, officials of the anonymity service confirmed Tuesday.
Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch. According to security researchers who analyzed the code, it exploits a memory corruption vulnerability that allows malicious code to be executed on computers running Windows. The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in webpages served by a service known as Freedom Hosting. The FBI used a non-public vulnerability to hack suspects on Tor.
"It's basically almost EXACTLY the same as the payload used in 2013," TheWack0lian told. "It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed." Analysis of the 2013 attack is here. Where that attack sent a unique identifier to a server located at the IP address of 220.127.116.11, the new one sends data to a server at 18.104.22.168. The latter IP address is assigned to French Web host OVH. It wasn't responding to queries at the time this post was being prepared.