Connect with us

Hi, what are you looking for?



Mozilla Patches Firefox Zero-Day Exploited to Unmask Tor Users

Security updates released on Wednesday for Firefox and the Tor Browser address a zero-day vulnerability exploited to deanonymize Tor users. Evidence suggests that the exploit may have been used by a law enforcement agency in an operation targeting child pornography distributors.

Security updates released on Wednesday for Firefox and the Tor Browser address a zero-day vulnerability exploited to deanonymize Tor users. Evidence suggests that the exploit may have been used by a law enforcement agency in an operation targeting child pornography distributors.

The exploit surfaced earlier this week and Mozilla immediately started working on a patch. According to the organization, the vulnerability leveraged by the exploit is a critical use-after-free affecting the SVG Animation component in Firefox.

Mozilla resolved the flaw, tracked as CVE-2016-9079, with the release of Firefox 50.0.2, Firefox ESR 45.5.1 and Thunderbird 45.5.1. In the Tor Browser, which is based on Firefox, the issue has been addressed in version 6.0.7. The Tor Project told users that those who had set their security slider to “High” were not affected by the vulnerability.

The exploit has been analyzed by several organizations. Mozilla said the attackers used it to execute arbitrary code on targeted systems by getting the targeted individual to open a webpage containing specially crafted JavaScript and SVG code. The payload is designed to harvest the targeted system’s IP and MAC address and send it back to a remote server.

“In this case, for example, the goal is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is ran directly from memory,” explained researchers at Malwarebytes.

The exploit has been designed to work only on Windows systems, but the vulnerability affects Linux and Mac OS as well. Memory partitioning mitigations make this flaw difficult to exploit in Chrome and Edge.

G Data researchers have also analyzed the shellcode and they determined that it “looks clean and organized” and “it contains error checking and cleans up after it has fulfilled its purpose.”

Advertisement. Scroll to continue reading.

The researcher known online as “TheWack0lian” determined that the payload is similar to the one used by the FBI in 2013 to identify Tor users suspected of being child-pornography traders. A user reported on Hacker News that the exploit was loaded on the login confirmation page of a dark web child pornography website called Giftbox.

Earlier this year, Mozilla asked a court in the Western District of Washington to require the government to disclose a flaw exploited by law enforcement in 2015 in a different operation aimed at child pornography suspects.

“The exploit in this case works in essentially the same way as the ‘network investigative technique’ used by FBI to deanonymize Tor users (as FBI described it in an affidavit). This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency,” Daniel Veditz, security lead at Mozilla, said in a blog post on Wednesday.

“As of now, we do not know whether this is the case. If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web,” Veditz added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.