Anonymous Web-host shut down, owner arrested; Tor users compromised by Javascript exploit


#21
  1. Depending on the variety of “sick stuff” you deserve the feds to come knocking. We know what’s around, show some self control.

  2. Tor doesn’t control sites that are accessible via it.

  3. This exploit was specifically for the purpose of getting Tor users’ real IP address and as such will likely not affect other parts of your system.

  4. There’s no knowing (at the moment), but chances are your system is fine.

  5. Curiosity told the cat how to crack the atom (always be curious)

  6. GET SOME FUCKING GRAMMAR LESSONS

  7. If you had to run around the world every time you wanted to get some milk from down at the shops you’d be slow too.


#22

My question: If you verified the signature of the Tor package and got a “good signature” result then does that mean you’re safe?

For those wondering WTF I’m on about, this exploit is the precise reason they HAVE checksums.
https://www.torproject.org/docs/verifying-signatures.html.en


#23

Child porn is gross, but I’m mighty glad I never used Tor browser bundle and only used the proxy Vidalia option.


#24

You mean besides the fact that all of the source is available and every checkin can be seen by the public at http://hg.mozilla.org/ ?


#25

A full scan of what exactly?


#26

And this is the Mozilla response:

https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/comment-page-1/#comment-111200

Dan Veditz posted:

The vulnerability being exploited by this attack was fixed in Firefox
22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53

People who are on the latest supported versions of Firefox are not at
risk.

Although the vulnerability affects users of Firefox 21 and below the
exploit targets only ESR-17 users. Since this attack was found on Tor
hidden services presumably that is because the Tor Browser Bundle
(TBB) is based on Firefox ESR-17. Users running the most recent TBB
have all the fixes that were applied to Firefox ESR 17.0.7 and were
also not at risk from this attack.

The only folks at risk are folks running older versions of either mainline Firefox or ESR17.

Folks, this is why installing security update versions of your browser are important. If you’re running Firefox, you’ll get a prompt when a new version is available. Follow the prompt and install the update. It is painless and the whole point is that, along with new features (except for ESR versions), you get security fixes.

The next release is on Tuesday.


Tor is compromised?
#27

It wasn’t a malware piece of Tor. It was a security bug fixed in the current version of ESR17 Firefox (and mainline Firefox). There is no reason to believe it isn’t fixed in the current version of the Tor Browser Bundle but a bunch of people are probably running older versions of the TBB since it doesn’t autoupdate like ESR17 Firefox or mainline Firefox. You have to install newer versions by hand. If you didn’t do it when the current version came out, you’d have an older version and, from what can be told, be vulnerable to this. See https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/comment-page-1/#comment-111200


#28

Gotcha… so it was simply a javascript exploit that only worked on old/unpatched versions of FF. So in answer to my question: yes, old versions of the package will still show up as having a good signature as the package has not been tampered with.

PS: nice to finally have a topic we agree on, Mr. Billings.


#29

So i been running this threw my head and i have to say i don’t think there going to look at anyone who happens to brows to TorMail,or hit a site that is compromised otherwise there will be allot of people siting in jail over this. So i think we all have nothing to worry about at all.


#30

It had to happen sometime.

Krebs has a fairly complete piece at http://krebsonsecurity.com/2013/08/firefox-zero-day-used-in-child-porn-hunt/ as well.


#31

Besides, if you go to the Mozilla Foundation Security Advisory 2013-53 and look at the meta field for author, you may find that I have an oar in the water here.


#32

So i think we all have nothing to worry about at all.

If you looked at child pr0n that was hosted on Freedom Hosting you might. I don’t look for such material so I’m sweet… stick to buying drugs, kid.


#33

Tor devs re-enabled javascript by default?

That just seems extremely foolish to me. If I run Tor again, noscript will be the first thing I install. I don’t know why anyone would think “anonymity” and “javascript” go well together.


#34

“A good compromise leaves everyone angry.”


#35

The real problem with Freedom Hosting wasn’t the porn - it was the freedom. However, the powers have us - at least us Americans - programmed to freak out and stop thinking as soon as we hear the word porn.

Might as well be fnord.


#37

Cowicide said:
it’s also great for governments to out dissidents/activists.

I really hope there’s a typo lurking in there.

No typo. Just using the word “great” sarcastically. As in “great” for them, not for activists, etc.


#38

It would definitely help the gubmint get around all that pesky Tor/VPN
obfuscation

My guess is it’s not pesky at all, and they have workarounds for it.


#39

this exploit is the precise reason they HAVE checksums.

Not really, it was a javascript attack server side. Verifying the checksums of the Firefox tor browser wouldn’t have helped against it at all. In other words, it wasn’t a fake tor browser that did this.

Edit: whoops, I see now that @albill already answered this, sorry.


#40

or Alexander the “Great”.

*fistbump *


#41

This topic was automatically closed after 5 days. New replies are no longer allowed.