Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Mathew J. Schwartz, Contributor

August 5, 2013

6 Min Read

Did an FBI sting operation exploit a vulnerability in Firefox to disable the anonymity offered by the Tor network, for the purposes of cataloging the Internet protocol (IP) addresses of visitors to sites that distribute child pornography?

While details are still emerging, that's one thesis being advanced by information security experts, after Freedom Hosting -- which offers anonymous Tor software services, but isn't affiliated with The Tor Project itself -- went dark, sometime before midnight Sunday. The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service.

The Freedom Hosting takedown may be tied to the arrest of 28-year-old Eric Eoin Marques in Dublin last Monday, following a reportedly year-long attempt by the FBI to identify and locate him. A warrant for his arrest on child pornography distribution charges was issued July 29 by the U.S. attorney general in Maryland. The charges carry a maximum prison sentence of 30 years.

[ How deep can the feds' surveillance really go? For example, Can The NSA Really Track Turned-Off Cellphones? ]

During a related extradition hearing in Ireland last week, an FBI special agent characterized Marques as being "the largest facilitator of child porn on the planet," Ireland's Independent newspaper reported Saturday.

According to public records, Marques -- who holds dual Irish and American citizenship -- is one of two directors of Ireland-based service provider Host Ultra Limited. Multiple news reports have also suggested that Marques is the operator of Freedom Hosting. But a spokeswoman for the U.S. Attorney's Office in Maryland, contacted by phone, wasn't immediately able to confirm the details of the arrest warrant, including whether Marques has been accused of running Freedom Hosting.

Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.

In fact multiple security researchers have said the relative non-maliciousness of the attack suggests that it may have been the work of a law enforcement agency (LEA) such as the FBI. "Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA and not by blackhats," according to an analysis posted by reverse-engineering expert Vlad Tsrklevich.

Tor's hidden services, which are denoted by a dot-onion (.onion) domain name -- always randomly generated -- are a lesser-known feature of Tor, which can be used to make a website reachable only via the Tor network.

"The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user," said "Phobos," a Tor project blogger, in a "Hidden Services, Current Events and Freedom Hosting" blog post. "The design of the Tor network ensures that the user cannot know where the server is located and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."

Hidden services offer anonymity to people such as whistleblowers and dissidents. But the feature has also gained notoriety by being used by services such as activists, as well as by services such as Silk Road -- an online marketplace known for facilitating the buying and selling of illegal drugs -- and for distributing child pornography. Who's now at risk from the Firefox flaw exploited by the injection script? In fact, the vulnerability was patched on June 25, 2013, with the release of Firefox 22 and Firefox Extended Service Release (ESR) -- which is often used by enterprises -- version 17.0.7.

"People who are on the latest supported versions of Firefox are not at risk," wrote Daniel Veditz, Mozilla's security lead, in a Sunday blog post. "Although the vulnerability affects users of Firefox 21 and below, the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services, presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack."

Anyone still using a vulnerable version of the TBB can mitigate the vulnerability by deactivating JavaScript in their Firefox browser. "We're investigating these bugs and will fix them if we can," said Tor's Phobos.

Responding to criticism that a zero-day vulnerability in Firefox had been used to compromise Tor users, Mozilla's Veditz countered that the bug had already been publicly disclosed and fixed. "This wasn't a 'zero day' attack, it was an exploit based on a security advisory from six weeks ago," he said. "The number of users vulnerable to this -- those who aren't up to date -- is dropping fast so the exploit is losing most of its value anyway."

The timing of the apparent Freedom Hosting takedown and bust of Marques -- which happened the same week as the annual Black Hat and DEF CON conventions -- didn't go unnoticed by the hacking community. "FBI uploads malicious code on the deep websites while everyone is off at DEF CON. Talk about playing dirty," posted "VarthDator" on a related Reddit thread.

Marques, meanwhile, remains incarcerated in Ireland, following his request for bail having been denied, after a judge classified him as a flight risk. That was based on testimony that Marques had routed large amounts of money from his bank accounts to accounts based in Romania. Authorities also said that based on a digital forensic examination of Marques' computer, he'd been researching how to obtain a visa for Russia. Marques countered in court that he'd only been researching the issue out of curiosity, in response to news about NSA whistleblower Edward Snowden.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights