Hacking

The code of a Firefox Zero-Day Exploit used to unmask Tor Users is online

A zero-day exploit in the wild has been used by threat actors to de-anonymize Tor users by executing malicious code on Windows machines.

The news is disconcerting and confirms the existence of a zero-day exploit in the wild that’s being used by threat actors to de-anonymize Tor users by executing malicious code on their machine. The zero-day exploit targets Tor users and also other netizens using the Firefox browser.

The zero-day vulnerability was first mentioned on the official Tor website, a blog post quoted a Javascript exploit that is actively exploited in the wild to unmask Tor Browser users.

“This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to “VirtualAlloc” in “kernel32.dll” and goes from there. Please fix ASAP. I had to break the “thecode” line in two in order to post, remove ‘ + ‘ in the middle to restore it.” reads the post.

Roger Dingledine, the notorious Tor co-founder, confirmed the zero-day and announced that the Mozilla security team is already working to fix it.

The zero-day is a memory corruption vulnerability that could be exploited to execute malicious code on Windows Machines.

zero-day flawzero-day flaw

The security researcher Raylee (@TheWack0lian) explained that the payload used in the recent wave of attacks is quite similar to the one used by law enforcement in 2013 to de-anonymize the users of a child pornography site hosted on Freedom Hosting.

“It’s basically almost EXACTLY the same as the payload used in 2013,” TheWack0lian told Ars. “It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”

According to the security researcher Joshua Yabut the zero-day exploit triggers a heap overflow vulnerability that requires JavaScript to be enabled on the target machine.

The zero-day exploit code works on various versions of the Firefox browser, from 41 to 50, the code is able to target all these versions a circumstance that suggests that its authors have improved the malicious code across the time.

As usual, the public disclosure of the Javascript code could allow threat actors in the wild to use it to track Tor users.

Waiting for a patch from Mozilla, users avoid relying on Tor to protect their anonymity.

As usual, it is strongly suggested to disable JavaScript.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mozilla Firefox Zero-day, hacking)

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

1 hour ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

3 hours ago

Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days

Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…

12 hours ago

Fortinet fixed actively exploited FortiVoice zero-day<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…

14 hours ago

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…

1 day ago

Marks and Spencer confirms data breach after April cyber attack

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…

1 day ago