FBI has refused an accusation of paying at least $1 million to Carnegie Mellon University (CMU) researchers to infiltrate Tor, a free software implementation of second-generation onion routing that enables its users to communicate anonymously on the internet.
The intelligence agency told Ars Technica, that these accusations of paying the security researchers of the university to disclose the Tor users as well as Reveal their IP addresses as part of a criminal investigation was 'inaccurate'.
"The allegation that we paid (Carnegie Mellon University) $1 million to hack into Tor is inaccurate," the FBI said.
However, the Tor Project team had discovered last year in July that more than hundred new Tor relays that modified Tor protocol headers to track people who were looking for Hidden Services, web servers hosted on Tor that offers more privacy.
The attackers used a combination of nodes and exit relays along with some vulnerabilities in the Tor network protocol that let them uncovered users' real IP addresses.
After discovering the flaws, the team updated its software and rolled out new versions of code to block similar attacks in the future. But, during that time the team could not find the hackers behind the flaws.
“We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor -- but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research," the Tor team said in a blog post.
"Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent," the post added.
Now, the Tor claims to have patched the vulnerabilities but this doesn't solve the core problem.