Tor Browser May Have Been Leaking Your Real IP Addresses – macOS & Linux Users Need to Update ASAP
The Tor Project has issued an emergency security fix for its browser to prevent it from leaking IP addresses due to an unpatched Firefox bug. The fix for this critical vulnerability has been made available to Mac and Linux versions of the Tor anonymity browser.
TorMoil flaw doesn't affect Windows and Tails
The bug was recently discovered by security firm We Are Segment. Dubbed as TorMoil, the flaw is triggered when a user clicks on local addresses, like file:// instead of http://. When a user who is on macOS or Linux clicks on such addresses, the Tor browser in the process of opening this address exposes real-world IP addresses of the user.
The bug in the browser that is used by millions specifically for the anonymity and security that it promises, pushed the operating system to "directly connect to the remote host, bypassing Tor Browser." The Tor Project delivered a patch to this issue late Friday to both macOS and Linux, confirming that Windows users weren't vulnerable to this particular security vulnerability.
The company said that the bug is "partially fixed" now. "The fix we deployed is just a workaround stopping the leak," Tor wrote in a blog post.
"As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136."
While the non-profit group has said that the bug hasn't been exploited in the wild, the details of the issue remain private as researchers find a more permanent solution to the issue. Users should assume that their IP addresses may have been leaked or could leak in the future and update to the latest versions. Tor said that users on the alpha versions of the browser for macOS and Linux should update to Tor Browser 7.5a7; users on stable version have been updated to Tor Browser version 7.0.9.