Sunday, May 12, 2019
Home / Security / Exploits / TOR Firefox Browser 0-Day

TOR Firefox Browser 0-Day

A new  0-Day affecting Mozilla’s Firefox version 17 is blowing up this week, not simply because it is a zero-day but mainly because it appears to be part of a U.S. government program to uncover the identity of people using the Tor Browser to view child pornography.

Last Saturday, it was reported that the FBI wanted to extradite who they named the ‘biggest child-porn dealer on the planet’. The following day, numerous services offered up by the Tor network where discontinued.

Malicious code that had been put in in a large number of concealed websites was unveiled. The code wasn’t just your ordinary exploit, but a Zero-Day that affected a specific version of Firefox, one that happened to be bundled in the Tor Browser.

A new exploit delivered on hidden websites which targets the Firefox browser bundled in Tor but not the latest Firefox seems a bit strange.

More clues came after analysis of the shell code revealed that there was no malicious payload to this exploit, but one very distinct feature: a request to a server hosted in the US fetching the victim’s real IP address. Very clever indeed.

If you add all these elements together, this looks like a law enforcement operation, although we might never know for sure, especially right now, when all eyes are on the U.S. government with regards to the NSA programs.

The Tor Browser is used around the world by all sorts of people who wish to remain anonymous online. In several countries with oppressive regimes, it is the only way  for dissidents to browse the Internet freely and not risk going to jail.

Tor bounces your Internet connection over several networks and hides your machine’s real IP address. With an IP address, one can determine your physical location, Internet Service Provider, etc…

The ability to hide one’s identity is something cyber-criminals have cherished for a long time and while Tor can be used for legitimate purposes, unfortunately one cannot prevent it from being abused by malicious actors.

This discovery is likely to spark many debates about the spying programs. While taking down pedophiles should be applauded, does the end justify the means?

You can download an example of the exploit here:

Cross-posted from

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …