Posts Tagged: Ofir David

Aug 13

Firefox Zero-Day Used in Child Porn Hunt?

A claimed zero-day vulnerability in Firefox 17 has some users of the latest Mozilla Firefox browser (Firefox 22) shrugging their shoulders. Indeed, for now it appears that this flaw is not a concern for regular, up-to-date Firefox end users. But several experts say the vulnerability was instead exposed and used in tandem with a recent U.S. law enforcement effort to discover the true Internet addresses of people believed to be browsing child porn sites via the Tor Browser — an online anonymity tool powered by Firefox 17.

Freedom Hosting's Wiki page on the Tor network's HiddenWiki page.

Freedom Hosting’s entry on the Tor network’s The Hidden Wiki page.

Tor software protects users by bouncing their communications across a distributed network of relays run by volunteers all around the world. As the Tor homepage notes, it prevents anyone who might be watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets users access sites that are blocked by Internet censors.

The Tor Browser bundle also is the easiest way to find Web sites that do not want to be easily taken down, such as the Silk Road (a.k.a. the “eBay of hard drugs“) and sites peddling child pornography.

On Saturday, Aug. 3, 2013,, an Irish news outlet, reported that U.S. authorities were seeking the extradition of Eric Eoin Marques, a 28-year-old with Irish and American citizenship reportedly dubbed by the FBI as “the largest facilitator of child porn on the planet.” According to the Independent, Marques was arrested on a Maryland warrant that includes charges of distributing and promoting child porn online.

The Tor Project’s blog now carries a post noting that at approximately midnight on August 4th “a large number of hidden service addresses disappeared from the Tor Network, sites that appear to have been tied to an organization called Freedom Hosting — a hosting service run on the Tor Network allegedly by Marques.

torHidden services can be used to run a variety of Web services that are not directly reachable from a normal Internet connection — from FTP and IRC servers to Web sites. As such, the Tor Network is a robust tool for journalists, whistleblowers, dissidents and others looking to publish information in a way that is not easily traced back to them.

“There are rumors that a hosting company for hidden services is suddenly offline and/or has been breached and infected with a javascript exploit,” writes “phobos,” a Tor Project blogger. Phobos notes that the person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research, and continues:

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

Even if the claimed vulnerability is limited to Firefox version 17, such a flaw would impact far more than just Tor bundle users. Mozilla says it has been notified of a potential security vulnerability in Firefox 17, which is currently the extended support release (ESR) version of Firefox. Last year, Mozilla began offering an annual ESR of Firefox for enterprises and others who didn’t want to have to keep up with the browser’s new rapid release cycle.

“We are actively investigating this information and we will provide additional information when it becomes available,” Michael Coates, director of security assurance at Mozilla, wrote in a brief blog post this evening.

Continue reading →