Tor users must update their Tor browser to fix a critical vulnerability, dubbed TorMoil, that could leak their real IP addresses to potential attackers when they visit websites with certain content.
The Tor Project released the Tor Browser 7.0.9 version for both Linux and MacOS, users of both the Windows versions of Tor, Tails and the sandboxed-tor-browser that’s in alpha testing are not affected.
“This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address.” reported the security advisory published by the Tor Project.
“Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though.”
The vulnerability was discovered by the Italian security expert Filippo Cavallarin, CEO at security firm We Are Segment.
The TorMoil flaw resides in FireFox browser for macOS and Linux on which the Tor Browser is based, it could be triggered when users click on links that begin with file:// addresses, instead of the more common https:// and http:// addresses.
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser” reads the blog post published by We Are Segment.
“If you are one of those people that rely on Tor Browser to safely browse the Internet, the message is just one: keep your Tor Browser updated!”
Cavallarin privately reported the security flaw to Tor development team on October 26, and the developers at the Tor project have rolled out an emergency update Tor version 7.0.8. The new version implements a temporary workaround to prevent the real IP leakage.
macOS and Linux users may found the updated versions of the Tor anonymity browser might not work as expected while navigating to file:// addresses, until the permanent patch becomes available.
“We are currently preparing updated macOS and Linux bundles for our alpha series which will be tentatively available on Monday, November 6. Meanwhile macOS and Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem.” continues the Tor Project.
“Known issues: The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.”
The Tor Project also said there’s no evidence the TorMoil flaw has been actively exploited by threat actors in the wild to de-anonymize Tor users.
It is important to highlight that flaws in the Tor browsers are precious commodities, recently the zero-day broker Zerodium offered $1 Million reward for working exploits.
On the other side, the Tor Project continues to improve its software, it has recently announced the release of Tor 0.3.2.1-alpha that includes support for the next generation onion services.