First responders
The bug was first made public on a Tor mailing list at 21:55:23 UTC 2016 on Tuesday and was quickly confirmed by Tor co-founder Roger Dingledine. Dingledine announced shortly the vulnerability had been initially discovered that Mozilla security engineers were actively working on a fix.
As of 12:45 p.m. ET, Mozilla had released Firefox 50.0.01 to patch the bug, although a Tor browser update is still needed. Dingledine said in a message board post that after Mozilla released its patch, “then the step after that is a quick Tor Browser update.”.
The bug was believed to affect multiple Windows versions of Firefox, including the current version 50 and going back as far as version 41. The exploit code is a combination of HTML, CSS, and JavaScript and when hosted on a website and accessed through Firefox or Tor, would construct an SVG file that would trigger vulnerability that could send details about the user’s computer and connection to to a remote server.
The collected data included the user’s IP address and hostname.
Similarities to previous bugs
Analysis of the exploit is still underway, but the code appears to be similar to a 2013 Javascript zero-day in which attack code could be used to find a Tor user’s real IP address and relay it back to a server.
That exploit was implemented by the United States Federal Bureau of Investigation in attempts to track down Tor users using the browser to access child pornography.
It is not known who is behind the current exploit.
What to do
Although a patch has been released, it is still recommended that Firefox users temporarily switch to an alternate browser such as Chrome or Safari when possible. Alternatively, they are advised to temporarily disable JavaScript on Firefox for as many sites as possible. Tor users are also recommended to turn off JavaScript, although disabling it goes against the official Tor recommendations.
Although it appears that the exploit currently only targets Firefox on Windows, security Dan Guido, noted on Twitter that macOS users of Firefox are also vulnerable.
