An intruder possesses identifying information about some users of the popular identity-masking network Tor, project developers said. The breach is believed to be the work of U.S. authorities hunting for a child porn trafficker.
Tor's software allows users to traverse the Internet almost without being traced.
Security analysts speculate the "LEA," or law enforcement authorities, exploited a flaw in Tor’s Firefox browser components to implant a worm capable of unmasking website operators -- some of whom distribute porn.
Tor officials said they have not decided whether to take action against whoever created the exploit, which targets earlier versions of Tor's browser bundle. "We need to see who wrote the exploit and deployed it. We'll reserve next steps until some future date when more facts are elucidated," Tor Project Executive Director Andrew Lewman said in an email.
Reverse engineering researcher Vlad Tsyrklevich wrote on his website that, because the malicious program does not insert lingering spyware or execute commands, "it's very likely that this is being operated by an LEA and not by blackhats" with malice.
Over the weekend, Tor “hidden services” hosted by Freedom Hosting went dark around the same time the Irish media began reporting the FBI wants to extradite alleged Freedom Hosting operator Eric Eoin Marques, an Irishman, on charges tied to online child pornography.
Hidden services -- servers reachable only through Tor -- protect vulnerable individuals such as domestic violence victims and whistleblowers, but also individuals concealing illicit activities.
In a preliminary assessment of the situation on Sunday, Tor officials acknowledged in a blog post that “the current news indicates that someone has exploited the software behind Freedom Hosting.” Officials now state that the intrusion was intentional and widespread.
"It's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services," Tor officials said in a security advisory issued on Monday.
FBI officials declined to comment on suspicions that U.S. authorities were involved in the infiltration.
In a statement, bureau officials confirmed that “an individual has been arrested as part of an ongoing criminal investigation” when asked about the extradition of Marques, adding that, “because this matter is ongoing, we are unable to provide further comment.”
The Tor advisory details the program errors that led to the infection, along with remedies. The worm, dubbed "Torsploit” by researchers, affected Windows users who were running earlier versions of Tor browser bundles. The code injected allows an outsider to commandeer a victim's computer, but the real world malicious activity witnessed only seems to spy on the user's hostname and MAC address, the unique ID number for computer hardware units.
Tor officials are attempting to distance themselves from the alleged porn operation: "The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research,” Sunday’s blog post stated.