“Really, switching away from Windows is probably a good security move for many reasons,” according to a security advisory posted Monday by The TOR Project.
People using Linux and OS X were not affected, but that doesn’t mean they couldn’t be targeted in the future. “This wasn’t the first Firefox vulnerability, nor will it be the last,” The TOR Project warned.
“This exploit doesn’t look like general purpose malware; it looks targeted specifically to unmask Tor Browser Bundle users without actually installing any backdoors on their host,” said Vlad Tsyrklevich, a security researcher who analysed the code, in an email. He published an analysis on his website.
The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle. The bundle’s browser, based on Firefox, is specially configured to visit TOR sites, which have URLs that look like “http://idnxcnkne4qt76tg.onion/.”
Requests to websites on TOR take a circuitous route through a network of servers around the world designed to obscure a computer’s IP address and other networking information that makes it easier to link a computer to a user.
Several TOR Browser Bundle versions were fixed over a four-day period starting June 26. Although the Browser Bundle will automatically check for a new version, it is possible that some users didn’t upgrade, which could have put them at risk.
“It’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services,” The TOR Project wrote.
Although unconfirmed, computer security experts have theorised the malware may have been used by law enforcement to collect information on people who browsed certain TOR websites supported by a company called Freedom Hosting.
That hosting company is believed to be connected to a 28-year-old man, Eric Eoin Marques. He is being held by Irish authorities pending an extradition request from the US on charges of distributing and promoting child pornography, according to the Irish publication the Independent.
In response to a query about the case, the FBI said Monday that someone had been arrested as part of an investigation, but did not identify the person.