The Mac and Linux versions of the Tor anonymous browser receive a temporary fix for a critical vulnerability that leaks users’ IP addresses when they visit certain types of addresses.
TorMoil, as the flaw was recorded by its discoverer, is triggered when users click on links that start with file:// instead of the more common https:// and http:// address prefixes. When Tor Browser for macOS and Linux is in the process of opening such an address, “the device can connect directly to the remote host, browsing Tor Browser,” according to a Brief blog post published Tuesday by A Se Apa, a security company that reported the bug privately to Tor advertisers.
On Friday, members of the Tor Project published a temporary work-around that plugs the IP leak. Until the final fix is in place, updated versions of the browser may not behave properly when browsing to file:// addresses. They say that both Windows versions of Tor, Sort, and the Sandboxed browser included in the alpha test are not vulnerable.
“The fix we deployed is one step in stopping the leak,” Tor officials wrote in a post announcing Friday’s release. “As a result of that browsing file:// URL in the browser may no longer work as expected. Specifically typing the file:// URL in the URL bar and clicking on the resulting links is broken. Open the available in a new tab or a new window doesn’t work either. The solution for those cases is pulling the link into the URL bar or on the tab instead. We trace the following regression in bug 24136.”
Friday’s post went on to say that We Are Section Manager Filippo Cavallarin privately reported the vulnerability on October 26. Tor developers worked with Mozilla developers to create a workaround the next day, but it only partially worked. They finished work on a more complete job around on Tuesday. The post did not explain why the fix, shipped in Tor browser version 7.0.9 for Mac and Linux users, was not rolled out until Friday, three days later. The Tor browser is based on Mozilla’s open source Firefox browser. The IP leak results from a Firefox bug.
Tor officials also warn that alpha versions of the Tor browser for Mac and Linux have not yet received the fix. They say they have a patch set to go live on Monday for those features. In the meantime, the officials said, Mac and alpha Linux users should use updated versions of the stable version.
Tor’s statement on Friday said that there is no evidence that the flaw has been exploited on the Internet or dark to obtain IP addresses or Tor users. Of course, the lack of evidence doesn’t mean the flaw isn’t used by law enforcement officers, private investigators, or hackers. And now that there is a fix, it will be easier for enemies who didn’t know about the prior vulnerability to create exploits. Anyone who relies on the Mac or Linux version of the Tor browser to protect their IP address should update as soon as possible and be prepared for the possibility, however remote, that their IP addresses have already been leaked.