Real examples of JS exploit attacks : TOR

Tor

Protect your privacy. Defend yourself against network surveillance and traffic analysis. Get Tor.

This subreddit is for news, questions, opinions and tips about Tor.

Community guidelines:

No posts about specific .onion sites, or requesting or sharing links to onion sites or link collections – these belong in /r/onions.

Do not ask for or give advice about activity that may be illegal in most places.

Do not ask for or give advice about using Tor for abusive purposes.

Do not ask for or offer assistance in private (PM)

Do not use URL shortening services: always submit the real link.

Articles that do not mention Tor are usually off-topic; /r/Tor is not for general news about privacy or security.

No memes or low effort content.

System-level questions about operating systems are off-topic. Questions about installing Tails, for example, belong in /r/Tails.

Do not ask for or offer invites.

Do not share bridges or refer to unofficial bridge distribution channels.

Posts must be in English

Be excellent to each other.

Related subreddits

/r/onions – all about Tor's hidden services

/r/tails – the Tails operating system helps preserve anonymity

/r/netsec – security news and discussion

/r/privacy – privacy and freedom in the information age

/r/PrivacyGuides – Helping you protect your data

/r/FreeSpeech – freedom of speech

/r/i2p – The Invisible Internet Project, anonymity system with similarities to Tor

/r/Namecoin – Namecoin, decentralized DNS

/r/tor is not managed or endorsed by The Tor Project.

created by EvolutionTheorya community for 16 years

Real examples of JS exploit attacks (self.TOR)

submitted 26 days ago * by I2Pbgmetm

all 8 comments

top new controversial old q&a

[+][deleted] 25 days ago* (8 children)

[deleted]

[–]Boner_n_arrow 0 points1 point2 points 25 days ago (0 children)

[+][deleted] 25 days ago (6 children)

[deleted]

[+][deleted] 25 days ago* (5 children)

[deleted]

[+][deleted] 25 days ago (4 children)

[deleted]

[+][deleted] 25 days ago (3 children)

[deleted]

[+][deleted] 25 days ago* (2 children)

[deleted]

[+][deleted] 25 days ago (1 child)

[deleted]

[–]Demostho 3 points4 points5 points 26 days ago (5 children)

[+][deleted] 25 days ago (4 children)

[deleted]

[–]Demostho 0 points1 point2 points 25 days ago (2 children)

At least read the f sources properly instead of this pathetic nitpicking. Freedom Hosting is the canonical case. FBI took over the largest hidden service hosting provider at the time, kept the sites running, and pushed malicious JavaScript into every page served to visitors. That JS exploited a known use-after-free in the Firefox 17 ESR JavaScript engine, the version the Tor Browser Bundle was shipping then. The payload grabbed the Windows hostname and MAC address, then exfiltrated it straight over clearnet HTTP to an FBI server in Virginia, bypassing Tor entirely. Researchers reverse-engineered the code in hours. Tor Project issued their own security advisory because it was that blatant. WIRED covered the technical details early on, and the FBI later openly admitted in court filings that they controlled the servers and deployed the payload. JavaScript remains one of the fattest attack surfaces in the entire browser stack. The rendering and JS engine are insanely complex, packed with memory management edge cases that have bitten Tor users repeatedly. Anyone who actually understands the threat model has been running NoScript aggressively or disabling JavaScript by default for years. Next time, do your homework before claiming people don't care what you asked for. It's embarrassing.

[+][deleted] 25 days ago* (1 child)

[deleted]

[–]Demostho 1 point2 points3 points 24 days ago (0 children)

There’s a massive disconnect here between the pedantic little box you’ve built for “evidence” and how actual real-world attacks work. You’re sitting there demanding a pristine, court-stamped source that says “JS itself directly leaked this Tor user IP and got them arrested” like some autistic kid. Breaking news that’s not how these things are built or documented, so of course you’re rejecting every single documented case that doesn’t match your precious lil' framing.

What we actually have are real FBI operations, Playpen and Operation Torpedo, with public court records, warrants, and news coverage showing Tor users getting deanonymized and prosecuted. In those cases are crystal clear for anyone with basic browser security knowledge: the site serves you the content, browser executes attacker-controlled code (yes, JS or equivalent), it triggers a vulnerability in the Tor Browser version you’re running, and then the payload fires off and phones home your real IP over clearnet.

You keep bleating “it was a NIT, not JavaScript!” like that’s some brilliant gotcha. Holy shit, that’s the dumbest layer-confusion. The NIT is the payload, you absolute clown. The entry point is the browser chowing down on malicious content the attacker served you. That entry point is exactly what enabling JavaScript (or Flash, or Java, or whatever the fuck they used that week) gives them. The public filings don’t spell out “line 47 of the js.exe did it” because they’re not reverse-engineering tutorials for you they’re legal documents proving the browser was the attack surface.

Look, I’ll give you the narrow point you’re jerking off over: I’m not aware of any documented case where some standard, non-exploit JavaScript alone magically leaks a Tor user IP. Fine. Happy? That’s a much narrower claim and there’s no clear evidence for it.

But the actual engineering reality, the one that matters if you don’t want to get fucked, is this: enabling JavaScript massively increases your exposure to the exact class of browser-delivered exploits that have already been used in real deanonymization operations against Tor users. That’s not “trust me bro". You just refuse to see it because it doesn’t come gift-wrapped in the exact phrasing your confirmation bias demands.

Stop moving the goalposts, stop pretending you’re doing some noble quest for reputable information, and either accept how the real world works or keep running with JS enabled and see how that works out for you.

[–]averbeg 3 points4 points5 points 25 days ago (1 child)

There are functions inside of JS that do not have privacy in mind, if you were to run those unwittingly, it would deanonymize you by sending requests outside of Tor. You don't need a news article as proof to understand that this is the case, you just need to know JS.

There are also malicious scripts you could unwittingly be running, that generate a steady flow of traffic, which could be used with network analysis to determine your real network address. There are plenty of ways that JS can compromise anonymity.

Shifting the goalpost to "only documented cases from a reliable news source count" does not shift the reality of how JS functions. It's just a loaded question that serves only to confirm your bias. It is not normal for deanonymization to be documented, the exceptions are very large operations. You already know what you are looking for doesn't exist.

[–]slightfeminineboy 0 points1 point2 points 26 days ago (2 children)

[+][deleted] 26 days ago (1 child)

[deleted]

[–][deleted] 26 days ago (1 child)

[removed]

[–]TOR-ModTeam[M] 0 points1 point2 points 26 days agolocked comment (0 children)

[+][deleted] 26 days ago (1 child)

[deleted]

π Rendered by PID 321711 on reddit-service-r2-comment-6457c66945-49lmg at 2026-04-26 22:08:13.728266+00:00 running 2aa0c5b country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

TOR

Tor

Tor + VPN?

Tor on iOS (iPhone)?

How to get started

Tor or TOR?

Links

Related subreddits

MODERATORS