Skip to main content
  1. Home
  2. Computing
  3. Web
  4. News

Crashing the masquerade ball: New Firefox exploit could expose Tor users

Add as a preferred source on Google

Mozilla engineers are patching a previously unknown JavaScript zero-day exploit that could expose Tor users.

The exploit was delivered through a Tor mailing list that when opened could unveil the MAC address and possibly even the IP address of a user running Tor Browser on Firefox. It is “100 percent effective for remote code execution on Windows systems,” said security researcher Joshua Yabut. Versions 41 to 50 of Firefox are reportedly affected.

Recommended Videos

According to reports, the zero-day’s code exploits a memory corruption vulnerability on Windows devices. It requires JavaScript to be running on your machine in order to work. The code, which has now been reverse engineered, does not appear to be responding to connections any more.

One security researcher on Twitter, @TheWack0lian, noted that the code is almost identical to an exploit infamously used by the FBI in 2013 to hack into a child pornography site running on Tor and identify its users.

Roger Dingledine, Tor project lead, acknowledged that the bug had been discovered after it was flagged by a user called sigaint, and Tor is taking the necessary steps in response to the discovery.

“So it sounds like the immediate next step is that Mozilla finishes their patch for it; then the step after that is a quick Tor Browser update,” said Dingledine. “And somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser.”

Mozilla too is aware of the exploit, but we don’t have any update on a patch as of this writing. We do know however that this zero-day has in fact been exploited already and with the code now being publicly available, it makes the whole thing a little bit more dangerous. Firefox users should consider using a different browser until an update is released, or at least disable JavaScript as much as possible.

Jonathan Keane
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Amazon wants to design in-house chips for Kindles, Fire TV, and Echo speakers
Apple did it first. Amazon is doing it now, starting with 40 million chips a year and a partner most people have never heard of.
Amazon Kindle Scribe dark mode featured image.

Apple's decision to design its own chips reshaped the consumer electronics industry. Amazon may be about to make the same call, just about two decades later.

Supply chain analyst Ming-Chi Kuo reports that Amazon is preparing to shift away from externally sourced processors for its consumer electronics lineup, marking what he describes as the company's first major processor procurement change in 20 years. The transition is expected to begin in 2027.

Read more
AI wants to summarize it all. TripAdvisor’s misleading reviews show AI will also ruin your travel plans
Spotless, friendly, and totally wrong. AI summaries are hiding the reviews that actually matter.
Tripadvisor logo on MacBook

Planning a trip is stressful enough without wondering if the glowing hotel summary you just read was written by an AI that skipped the scary parts. As it turns out, that might be exactly what's happening on TripAdvisor.

According to an investigation by consumer group Which?, reported by the Guardian, TripAdvisor's AI-generated review summaries are smoothing over serious guest complaints, and in some cases, downright dangerous ones.

Read more
Opera’s new Paste Protect feature stops the clipboard attack your antivirus can’t catch
ClickFix attacks trick you into compromising your own device, and no major browser had a native defense against them until now.
Opera Paste Protect featured

Most online scams are easy enough to spot once you know what to look for. Fake login pages, suspicious attachments, or urgent wire transfer requests are dead giveaways. But ClickFix doesn't look like any of them. It presents itself as a solution, and it asks you to do something so routine that few people think twice about it.

The technique was behind more than 53 percent of malware loader incidents last year, according to cybersecurity firm Huntress, and no major browser had a native defense against it until now. Opera is fixing that with a new feature called Paste Protect.

Read more