TorMoil: Tor flaw exposed IP addresses of Linux and Mac users
A full fix is expected later today
A FLAW in the Tor browser last week exposed the IP addresses of Mac and Linux users.
Every time a user clicked onto links starting with file://, as opposed to https:// and http://, the vulnerability would kick into action. It's been named TorMoil by its finder.
In a blog post published by We Are Segment, the security firm explains that when macOS and Linux users open these addresses, the OS connects directly to the remote host.
"Recently, our CEO, Filippo Cavallarin, discovered a critical security vulnerability in Tor Browser affecting Mac and Linux users that can lead to the leakage of users real IP address," the company wrote.
"Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser."
Members of the Tor Project released a temporary fix on Friday and said Windows users haven't been affected by the problem.
"Tor Browser 7.0.9 is a security bugfix release for macOS and Linux users only. Users on Windows are not affected and stay on Tor Browser 7.0.8," the Project said.
"Tor Browser 7.0.9 is now available for our macOS and Linux users from the Tor Browser Project page and also from our distribution directory.
Related: Tor updates infrastructure to help protect the identity of servers
"This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address (note: as of Nov. 4, 2017, this link is non-public while Mozilla works on a fix for Firefox).
"Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though."
Tor developers teamed up with Mozilla to come up with a fix the next day, and the patch for all affected versions is set to go live on Monday. µ
INQ Latest
India sets the bar for net neutrality with 'world's strictest' rules
Seems like a good place to buy a server innit
Intel's new Xeon E chips take aim at entry-level workstations
Ryzen-rivaling silicon packs up to six cores and twelve threads
Chrome 67 protects against Spectre hacks but gobbles more RAM
Render processes get split to avoid Spectre bug exploits
ZTE's long-running saga with the US government is almost over
Firm strikes a deal to end seven-year supply ban
Most read
