TorMoil flaw leaks IP addresses of Mac and Linux Tor users
If you're using Tor, you're almost certainly doing so because you're looking for privacy and anonymity. But a newly discovered critical vulnerability has been revealed in the Mac and Linux versions of the browser that means IP addresses may be leaked.
The bug was discovered by security firm We Are Segment and was reported to Tor. While a proper patch is yet to be created, a fix has been released, and Tor users are strongly advised to install it.
The problem was reported to the Tor Project on October 26 by We Are Segment CEO Filippo Cavallarin. The firm explains: "Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser."
At the moment there is no evidence to suggest that the vulnerability -- which has been described as "critical" -- has been exploited in the wild, but this does not mean that it should be ignored. Linux and Mac users are advised to update to Tor Browser 7.0.9. The update comes after the development of a temporary fix which was created with the help of Mozilla engineers.
Members of the Tor Project wrote a post explaining the bug and fix:
The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.
The Windows version of Tor is unaffected.