Certain users of the Tor Browser should implement a temporary fix for a vulnerability that can potentially leak their real IP addresses.

On 3 November, Tor Browser 7.0.9 rolled out to macOS and Linux users. Included in the updated version is a fix for an issue that affects Tor Browser 7.0.8 on those two operating systems. Windows users aren’t affected by the issue and therefore need not upgrade. Tails users and users of the sandboxed Tor Browser are also safe from the bug.

Tor initially received word about the vulnerability on 26 October from Filippo Cavallarin, CEO of We Are Segment. Researchers at the Italian digital security and ethical hacking company describe how the flaw dubbed “TorMoil” works:

“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.”

Upon learning of the flaw, Tor worked with Mozilla to develop a fix. Their efforts produced a workaround that Tor’s researchers admit only partially addresses a fix. They came up with a more substantive patch on 31 October, which went live on 3 November.

The Tor Browser

At this time, it’s unclear if the vulnerability applies to earlier versions than Tor Browser 7.0.8 for macOS and Linux. It’s also unknown why Tor waited three days to release its additional fix. What is clear, however, is that a final fix is still needed.

Tor’s researchers say they’re working on one:

“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in (Read more...)