A recent vulnerability discovered in fully patched version of Firefox browser that could allow hackers to easily conduct man-in-the-middle (MITM) attack to intercept Tor anonymity network, and allow attacker to deliver malicious update that includes payloads.

When that vulnerability reported, Tor Project instantly released a patched version 6.0.5, but Mozilla Firefox still has to patch the critical flaw in browser.

What Hacker can archive using this vulnerability?

You might be familiar with Man-In-The-Middle attack which used to sniff on networks traffic to target users to export sensitive information, like passwords, credit cards, logs and even exploit through router.

Let’s talk about recent vulnerability, this could allow man-in-a-middle hacker who is able to fetch forged certificate for addons-mozilla.org, which in case can deliver malicious update for NoScript, HTTPS on a targeted computer. Which can be used to backdoor users with hidden malware inside that addons.

“This could lead to arbitrary code execution [vulnerability],” Tor officials warned in an advisory. “Moreover, other built-in certificate pinnings are affected as well.”

Who Discovered this vulnerability?

The vulnerability was discovered by @movrcx on Tuesday, He’s an security expert who described the attack against Tor Browser and Mozilla Firefox, estimating attackers would need US$100,000 to launch the multi-platform attacks.

Another research by Ryan Duff reports, which also effects stable versions in Firefox.

Ryan Duff describe that actual problem resides in Firefox’s custom method for handling “Certificate Pinning,” which is different from the IETF-approved HPKP (HTTP Public Key Pinning) standard.

Certificate Pinning is an HTTPS feature that makes sure the user’s browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.

While not very popular, HPKP standard is often used on websites that handle sensitive information.

“Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP,” says Duff. “The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario.”

Mozilla Firefox planned to release Firefox 49 today. The Tor Project took just one day to address the flaw after the bug’s disclosure went online.