On Tuesday, reports surfaced of an exploit being deployed in the wild against users of the anonymizing software Tor Browser. Like other Tor Browser exploits used in the past, it was likely used to target visitors of a dark web child pornography site, Motherboard has found.
The existence of the exploit first emerged when a pseudonymous tipster published the code on a Tor mailing list.
Videos by VICE
Read more: After High Profile Busts, Dozens of Dark Web Child Porn Sites Remain
“This is an Javascript exploit actively used against TorBrowser NOW,” they wrote. Roger Dingledine, co-founder of the Tor Project, replied shortly after, saying that someone had sent the code to Mozilla earlier that day, and that the non-profit was working on a patch.
Motherboard has found several reports that the code had been deployed on a Tor hidden service peddling child pornography called The GiftBox Exchange, or GiftBox for short.
“Active Warning Please AVOID GiftBox Exchange & Disable JavaScript (2016-11-30),” the entry for GiftBox on The Uncensored Hidden Wiki reads.
The Uncensored Hidden Wiki is a site that collates dark web links and provides Wikipedia-style articles on each. The post adds that there is an active discussion on another child pornography site about the malware (Motherboard was unable to confirm this, as it would require logging into the site itself, which would likely be illegal).
“NIT Found! Suspected to be Operated by Law Enforcement,” the entry continues. A NIT, or a network investigative technique, is a general term used by the FBI to describe the agency’s malware. (According to independent security researcher slipstream/RoL, some of the code is “almost exactly” the same as that used in a 2013 FBI operation to unmask users of dark web child pornography sites. However, whether the FBI, or another law enforcement agency, was behind this particular exploit is not totally clear).
“NIT Found! Suspected to be Operated by Law Enforcement.”
On Tuesday, a pseudonymous user on Hacker News also said the exploit was used on the “CP site” GiftBox. CP is a commonly used acronym for child pornography.
“The exploit got loaded on the confirmation page after logging in,” the user wrote.
According to the Uncensored Hidden Wiki entry, GiftBox opened in July 2015 and consists of several different parts: the main site and two other “chat” sites which operate independently of one another. It also allegedly had posts in English, German, French, Spanish and Dutch, and had some 45,000 users earlier this year.
The site administrators said they were shutting down the main GiftBox site on November 15, according to a message included in the updated entry.
“It is with deep regret that we must inform you that The GiftBox Exchange will not be reopening to the public. We are currently not able to bring back the board in a way that we feel comfortable with. And so, we will shut the whole thing down,” the message allegedly read. The message then said that the two chat sites would stay open “for the foreseeable future.”
As for the exploit itself, the Tor Project released a patch for its browser on Wednesday, which included a fix for the underlying vulnerability.
The Tor Browser is based on Mozilla’s Firefox, so the two browsers share much of the same code. Often when a vulnerability affects Firefox, Mozilla patches it, and then the Tor Project incorporates that fix into its own browser.
Joshua Yabut, a researcher who analyzed the exploit, told Ars Technica that the code is “100 percent effective for remote code execution on Windows systems.” The payload of this latest malware points to an IP address of 5.39.27.226, a server in France belonging to hosting provider OVH.
The code for the exploit has been public for nearly 24 hours now, meaning there is a chance that others may have attempted to use it themselves before it had been patched.
Europol did not respond to a request for comment, and the FBI declined to comment.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.