Last week, users of the Mac and Linux versions of the Tor private web browser were plagued with a flaw that resulted in their IP dresses being leaked onto the internet
Every time a user clicked onto links starting with file://, as opposed to https:// and http://, the flaw would kick into action. It’s been named TorMoil by its finder.
In a blog post published by We Are Segment, the security firm explained that when macOS and Linux users open these addresses, the OS connects directly to the remote host.
“Recently, our CEO, Filippo Cavallarin, discovered a critical security vulnerability in Tor Browser affecting Mac and Linux users that can lead to the leakage of users real IP address. We named it TorMoil,” the company wrote.
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.”
Members of the Tor Project released a temporary fix on Friday. They said Windows users haven’t been affected by the problem.
“Tor Browser 7.0.9 is a security bugfix release for macOS and Linux users only. Users on Windows are not affected and stay on Tor Browser 7.0.8,” the Project said.
“Tor Browser 7.0.9 is now available for our macOS and Linux users from the Tor Browser Project page and also from our distribution directory.
“This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address (note: as of Nov. 4, 2017, this link is non-public while Mozilla works on a fix for Firefox).
“Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though.”
Tor developers teamed up with Mozilla to come up with a fix the next day, and the patch for all affected versions is set to go live on Monday.