A researcher who by the online pseudonym “movrcx” revealed on September 13th that both Firefox and Tor have major vulnerabilities to MitM (man-in-the-middle) attacks. The vulnerability stems from the browsers not using HTTP Public Key Pinning (HPKP) as well as flaws in their system following updates earlier this month. HPKP refers to the cryptographic code used to verify a web server’s certificate/to identify forged certificates. A MitM attack is performed by an attacker who relays and/or changes the communication between two parties. The article used Firefox as an example to represent this: the attacker obtains the certificate for addons.mozilla.org, allowing them to either hack or trick the certificate authority (CA), the entity that issues digital certificates, in order to replace updates sent to users with something else, such as malware.
The Tor Project’s browser also suffers from this vulnerability because it is based on Firefox, and is actually more susceptible due to the fact that it comes with add-ons preinstalled whereas Firefox does not. (Tor is a browser designed to keep users anonymous by “bouncing” the user’s communications between relay networks operated by volunteers around the globe.)
Movrcx’s warning included the hypothetical scenario in which a “sophisticated threat actor, such as a nation state or criminal organization” would be able to abuse this vulnerability and launch mass attacks against a user or users. Tor project representatives initially mocked movrcx’s claim, stating that it wasn’t credible, but the vulnerability was later confirmed by another researcher, Ryan Duff.
Both browsers have already been updated to address this issue, with Tor being updated on the 16th and Firefox on the 20th.
Original article: http://www.securityweek.com/firefox-tor-browser-vulnerable-malicious-add-attacks