The exploit was delivered through a Tor mailing list that when opened could unveil the MAC address and possibly even the IP address of a user running Tor Browser on Firefox. It is “100 percent effective for remote code execution on Windows systems,” said security researcher Joshua Yabut. Versions 41 to 50 of Firefox are reportedly affected.
One security researcher on Twitter, @TheWack0lian, noted that the code is almost identical to an exploit infamously used by the FBI in 2013 to hack into a child pornography site running on Tor and identify its users.
Roger Dingledine, Tor project lead, acknowledged that the bug had been discovered after it was flagged by a user called sigaint, and Tor is taking the necessary steps in response to the discovery.
“So it sounds like the immediate next step is that Mozilla finishes their patch for it; then the step after that is a quick Tor Browser update,” said Dingledine. “And somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser.”
- The worst Apple Watch problems, and how to fix them
- The best web browsers for 2019
- Qualcomm Snapdragon 8cx vs. Intel Core i5
- WhatsApp has 400 million users in India, but no fix for its fake news problem
- Huawei gets another short reprieve from ban, but the future doesn’t look hopeful