Over the weekend, reports circulated online that a critical Tor vulnerability has been leaking the IP addresses of Tor browser users.
Dubbed as TorMoil, the said Tor vulnerability was found exposing the real IP addresses of Mac OS and Linux users of the Tor Browser. Italian security researcher and CEO of We Are Segment Filippo Cavallarin discovered the vulnerability residing in Firefox which, in turn, also affects the Tor Browser. It should be noted that Tor utilizes Firefox at its core.
On Friday, the Tor Project immediately released a patch for the TorMoil vulnerability that negatively impacts Tor Browser version 7.0.8. However, Windows users running Tor Browser 7.0.8 are not affected by the issue.
In a blog published by a certain GK on the Tor Project blog site, the organization said:
“This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address (note: as of Nov. 4, 2017, this link is non-public while Mozilla works on a fix for Firefox).
Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though.”@torproject just released a temporary fix for the #TorVulnerability #TorMoilClick To Tweet
Discovering the Tor Vulnerability, TorMoil
According to a separate and short blog post by We Are Segment, a Firefox bug is apparently responsible for the IP address leaks. The post read:
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.”
It appears that the Tor vulnerability is being triggered by clicking on links that begin with ‘file://’ rather than the usual ‘https://’ and ‘http://’ address prefixes. The patch released by the Tor Project on Friday was only a temporary solution to the problem.
It was reported that until a final fix has been put in place, the updated Tor Browser (version 7.0.9) may not behave properly when navigating to ‘file://’ addresses.
“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken.
Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136,” Tor Project operators said.
The Tor vulnerability was initially reported to Tor Project by Cavallarin on October 26th. Since then, the team has continuously worked on a fix for the problem.
“The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially.
We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild. Thanks to everyone who helped during this process!”
The Tor Project operators said that an updated Mac OS and Linux bundles would be made tentatively available today, November 6th. As of writing this article, the Tor Browser 7.5a7 has already been released, and the team is encouraging everyone to upgrade or use the stable bundles they mentioned on their report.