Darknet Freedom Hosting Sites Shutdown Led by FBI Exploit Use Against Tor Network


Last Friday,  Eric Eoin Marques, the alleged founder of Freedom Hosting, was arrested for charges accusing him of being, in the words of a FBI agent to an Irish court, “the largest facilitator of child porn on the planet.”

Freedom Hosting is a major hidden services hosting provider that can only be accessed through the Tor network but its association with Marques wasn’t brought up in court.

Tor provides thousands of “volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.” Part of these services that Tor provides are hidden services as part of Tor “darknet” which includes anonymized Web sites, mail hosts, and other services that can only be accessed by computers connected to Tor or via hidden services proxy website, such as tor2web.org, and the host names ends in .onion.

Freedom Hosting and Marques has been associated with child pronography so now, Tor released a statement claiming that they are in no way associated with the people running Freedom Hosting:

“The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can,” Tor said in a statement.

So if hidden servers are anonymous and secured, how was the FBI able to crackdown Freedom Hosting’s operations?

It all lies in a Firefox 17 JavaScript zero-day exploit.  According to reports, the exploit was used by the FBI to identify some users.  The FBI did not compromise the Tor network itself.  The JavaScript zero-day exploit “creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn’t get deleted. Presumably it reports the victim’s IP back to the FBI.”

“Anonymizing services function by hiding the network traffic of a user by mixing-it-up through the network; but if the user themselves it transmitting identifying information it would bypass that protection,” says Kyt Dotson, SiliconAngle assistant editor. “Ordinarily, Tor-bundled browsers disable Javascript, but according to an article on Openwatch many users may have left themselves open to this exploit due to a change in the common Tor Browser Bundle. “This event speaks of a necessity to understand the underlying mechanics of privacy tools in order to double-check common vulnerabilities user-side to decrease overall vulnerability.”

This isn’t the first time Freedom Hosting was targeted in relation to child pornography.  Last year, the hackivist collective Anonymous launched #OpDarknet which targeted darknet sites part of Hidden Wiki.  Anonymous allegedly found Hard Candy, a listing of child pornography sites, such as Lolita City.  Anonymous gave them enough time to take down the sites, but when the deadline came and no action was done, the sites were taken offline.