IdentityForce Logo IdentityForce Logo
Protect What Matters Most.
Posted on December 1, 2016 by in Data Breach & Technology, Personal

If you use the Mozilla Firefox or Firefox-based Tor Browser to surf the web, a patch to fix a major vulnerability has just been released; you should download the update and install as soon as possible. Your browser will update automatically in the next 24 hours, but if you don’t want to wait, you can download manually right now. Mozilla said the patch addresses a Firefox animation remote code execution flaw that was actively exploited to de-anonymize Tor browser users and was discovered on Tuesday, November 29. It’s believed the breach only directly impact users with Windows, but the vulnerability does exist on Mac OS and Linux as well.

What happened in this breach?

There was a previously unknown vulnerability in Firefox that hackers discovered. On November 29, Mozilla was given a code attackers used to execute a breach that took advantage of that hole. The breach was also posted publicly on a Tor Project mailing list. The code the hackers used collected the IP and MAC address of each system that was targeted, and that information was sent to a central server. The goal of the attack was to reveal the identity of the browser user.

According to Wordfence, a WordPress security plugin, the shell code in the attack traces back to an IP address for a web server hosted at OVH in France that has now been taken down. The company did some research and found it connects to a domain name that is frequently used to host pirated content, viruses, malware, and redirects to malicious sites.

Speculation about who was responsible for the Firefox breach

Who was responsible for this? A group of cyber criminals in another country? A lone U.S.-based hacker? Vice’s Motherboard is reporting that it may have been executed by the FBI. Independent security researcher slipstream/RoL said that some of the code is “almost exactly” the same as code that was used by the FBI in 2013 to find the identities of individuals who were accessing dark web child pornography. Motherboard said it “found several reports that the code had been deployed on a Tor hidden service peddling child pornography called The GiftBox Exchange, or GiftBox for short.”

It’s not currently known if the FBI was indeed responsible for this breach, but Mozilla’s Security Lead, Daniel Veditz, addressed the topic briefly in his blog about the incident:

“If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web.”