Advice on Tor use in wake of Freedom Hosting compromise
In the wake of the discovery that someone has compromised Tor hidden services hosted by Freedom Hosting and injected malicious JavaScript aimed at de-anonymizing specific users, the Tor Project has advised Tor users to keep their Tor Browser Bundle (TBB) updated, switch away from Windows, and disable JavaScript.
“An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted,” Roger Dingledine, one of the original developers of Tor and director of The Tor Project, wrote in a security advisory released on Monday.
“To be clear, while the Firefox vulnerability is cross-platform, the attack code is Windows-specific. It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack,” he pointed out, and added that “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”
While there are TBB versions in which the vulnerability has been patched even before the attack – 2.3.25-10; 2.4.15-alpha-1; 2.4.15-beta-1; and 3.0alpha2, to be exact – Dingledine says that users need to realize the this wasn’t the first Firefox vulnerability, nor will it be the last, and that they should consider disabling JavaScript, even though this will make some websites not work as expected.
He also pointed out that even though JavaScript is the biggest, many other vectors remain for vulnerabilities in Firefox, including CSS, SVG, XML, and so on.
“Consider switching to a ‘live system’ approach like Tails. Really, switching away from Windows is probably a good security move for many reasons,” he advises. “Be sure to keep up-to-date in the future. Tor Browser Bundle automatically checks whether it’s out of date, and notifies you on its homepage when you need to upgrade. Recent versions also add a flashing exclamation point over the Tor onion icon.”
In the meantime, researchers analyzing the JavaScript exploit in question claim that it sends the the victim’s MAC address and Windows hostname to a server on an IP address belonging to US defense contractor SAIC and is part of several blocks of IP addresses allocated by the company to the NSA.
UPDATE:
Bitdefender added detection against the Tor Browser Bundle exploit to its products.
“As the exploit is, we judge the probability of it being used in other attacks by other actors as high. So far, a handful of installed Bitdefender instances in France and the Dominican Republic have reported detection of the exploit,” they shared.