Skip to main content

Tor Browser vulnerability used to attack visitors to a child porn site

Tor Browser vulnerability used to attack visitors to a child porn site

Share this story

tor stock 1020

A child pornography site called Giftbox has been attacking its users with a newly discovered exploit in the Tor Browser, according to an exclusive report from Motherboard. According to one user, the exploit was present on the main page, giving attackers a clear way to plant malware on any computer that visited the site.

It’s not clear what the attackers used the exploit for, or what any resulting programs might have done, but such an exploit would have been an easy way for law enforcement to track down anyone visiting the illegal site.

The new exploit isn’t an attack on Tor itself, which disguises traffic by routing it through a larger network. Instead, the attack focuses on the Tor Browser, a modified version of Firefox designed for connecting to websites that can only be accessed through the Tor network. By targeting the browser, attackers were able to plant malware on any computer connecting to the site without compromising the larger network. Tor has patched the browser, and updated versions should be protected against the attack.

There’s no clear evidence for who’s behind the attack, but the tactics are very similar to a number of recent FBI operations. In 2013, the FBI took down a number of hidden services on the Freedom Hosting network, employing a similar browser-based exploit. A year later, the FBI took control of a child porn site called Playpen and — rather than shutting the site down — used it to actively seed tracking malware to its visitors, using that information to identify and prosecute them.

That operation is still legally controversial, but soon it will be much easier for US judges to authorize similar hacks. On December 1st, new amendments to the rules of criminal procedure are set to take effect, allowing judges to write warrants for networked computers regardless of their location. That new legal power, combined with the growing availability of law enforcement malware, would make it much easier for agencies to target and prosecute anonymous figures online, potentially causing significant collateral damage to systems in the process.