Tor Browser Users Urged to Patch Critical ‘TorMoil’ Vulnerability

Author: Tom Spring
minute read

The Tor Project released a patch for a vulnerability that leaks the real IP addresses of macOS and Linux users of its Tor Browser.

The Tor Project released a patch for a vulnerability that leaks the real IP addresses of macOS and Linux users of its Tor Browser. The patch was issued late Friday and fixes a vulnerability found in Tor Browser version 7.0.8. The patch is in an upgrade to Tor Browser 7.0.9.

Windows users running Tor Browser 7.0.8 are not affected.

“Due to a Firefox bug in handling ‘file://’ URLs, it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser,” according to a post by Tor Project on Friday.

The post said Tails users and sandboxed-tor-browsers are also unaffected by the bug.

It is unclear if prior versions of the Tor Browser are also impacted or if it’s just version 7.0.8.

Filippo Cavallarin, CEO of We Are Segment, is credited for discovering the vulnerability and notifying Tor Project on Oct. 26. The Tor Project team said it created a workaround with the help of the Mozilla engineering team the following day.

“We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild,” the team said.

In addition to the Tor Browser 7.0.9 patch, the Tor team said it is preparing updated macOS and Linux bundles for its alpha series browser, expected Monday.

The Tor Project team also stated that the Tor Browser 7.0.9 patch has known issues. “The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore,” it stated.

The Tor Project announced in July the launch of a public bug bounty program to encourage security researchers to privately report issues they find in the group’s software. Unlike its previous invite-only bug bounty program, this bounty program is open to all bounty hunters through HackerOne. Last year, through its private bounty program, the Tor Project patched a zero-day vulnerability being exploited in the wild to de-anonymize Tor users.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.