14 DAY TRIAL // On Sunday, a large number of hidden service addresses – ones that are accessible only via Tor – disappeared from the Tor Network, the infamous anonymization system used not only by activists, dissidents and whistleblowers, but also by criminal organizations.
The disappearance of the websites coincides with the arrest of Eric Eoin Marques, a 28-year-old from Ireland believed to be the operator of Freedom Hosting, one of the largest .onion site hosting providers.
According to the Irish Examiner, Marques – who is both an Irish and US citizen – has been arrested in Ireland based on a Maryland, US, warrant. The US is seeking his extradition, accusing him of being the world’s largest facilitator of illegal adult content featuring children.
The TOR Project’s representatives published a blog post stating that they’re not in any way affiliated with Freedom Hosting.
They believe someone breached Freedom Hosting and configured the server to inject a JavaScript exploit in the web pages delivered to users.
Experts have told Brian Krebs that a Firefox 17 zero-day vulnerability has been leveraged in an attempt to identify users who are visiting illegal adult websites hosted by Freedom Hosting.
The exploit could have been used to deliver malware, but it appears it has only been utilized to redirect visitors to a site that harvests the real IP addresses of those who visit the illegal sites. This leads many to believe that the FBI might be behind the attack.
“Ironically, all [the malicious code] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID,” Ofir David, head of intelligence for Israeli cybersecurity firm Cyberhat, told Krebs.
“That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.”
Reporting for E Hacking News, security expert Suriya Prakash provides a detailed analysis of the exploit used by the attackers. Prakash also highlights that the vulnerability leveraged by the hackers doesn’t affect the Tor Network, but Firefox.
“This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their ‘no script’ plugin with proper setting ‘disallowed’ are safe),” Prakash explained.