Skip to main content

Hackers have infiltrated Tor Browser and it can't get rid of them (yet)

(Image credit: Shutterstock / Daniel Constante)

A mysterious group of hackers has attached hundreds of malicious servers to the network of privacy-focused web browser Tor, which are being used to execute targeted attacks on users.

The Tor operators have been wrestling with the hackers since January, according to a report from independent security researcher Nusenu, who has monitored the network for a number of years.

At the peak of the attack in May, the hackers operated a total of 380 Tor exit relays (the servers that bridge the network with the public internet), meaning each user had a roughly one in four chance of being funneled through a dangerous server.

Despite three separate attempts to rid the network of the malicious servers after alarms were raised by Tor directory authorities, the group still reportedly controls more than 10% of exit relays today.

Tor Browser security

Having gained a strong foothold in the Tor network - which is usually considered among the most secure around - the hackers have launched targeted attacks against users of cryptocurrency websites.

“They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays,” wrote Nusenu. “They (selectively) remove HTPP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings.”

This type of attack is known as SSL stripping and allows malicious actors to capitalize on the fact users rarely type out full website URLs (including https://). In this context, the hackers are using the exploit to replace bitcoin addresses in unsecured HTTP traffic and funnel cryptocurrency payments into their own wallets.

Tor Browser reportedly lacks the ability to verify new relay operators at sufficient scale, meaning there is no immediate resolution in sight. However, Nusenu claims to have contacted the cryptocurrency websites used to execute the hijacking attacks, which could choose to implement countermeasures (such as HSTS Preloading or HTTPS Everywhere).

Update - August 12:

Tor Browser has since provided TechRadar Pro with the following statement:

"Last year we created a Network Health team to invest in a dedicated team just to keep track of [bad relays]. Unfortunately this year we had to lay off a third of our organization due to the fundraising impacts of Covid-19, which led us to reorganizing teams internally."

"Due to the limited capacity we have at the moment, it takes a bit longer than usual to tackle certain things. Our goal is to recover our funds to be able to get that Network Health team back in shape."

"We would like to take the opportunity to raise the importance for website admins to always enable HTTPS for their site (and that folks can get free certificates with Let's Encrypt) and to make sure they have HTTPS Everywhere enabled for their site, so their users can be redirected to a safer connection."

The organization also explained it has a few ideas about how to address the issue, including an overhaul of the threat review process and new limits on the "influence" of unknown relays. This way, Tor can be certain that X% of the network can be trusted.

  • Here's our list of the best VPN services out there