The Tor Project released a patch for a vulnerability that leaks the real IP addresses of macOS and Linux users of its Tor Browser. The patch was issued late Friday and fixes a vulnerability found in Tor Browser version 7.0.8. The patch is in an upgrade to Tor Browser 7.0.9.
Windows users running Tor Browser 7.0.8 are not affected.
“Due to a Firefox bug in handling ‘file://’ URLs, it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser,” according to a post by Tor Project on Friday.
The post said Tails users and sandboxed-tor-browsers are also unaffected by the bug.
It is unclear if prior versions of the Tor Browser are also impacted or if it’s just version 7.0.8.
Filippo Cavallarin, CEO of We Are Segment, is credited for discovering the vulnerability and notifying Tor Project on Oct. 26. The Tor Project team said it created a workaround with the help of the Mozilla engineering team the following day.
“We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild,” the team said.
In addition to the Tor Browser 7.0.9 patch, the Tor team said it is preparing updated macOS and Linux bundles for its alpha series browser, expected Monday.
The Tor Project team also stated that the Tor Browser 7.0.9 patch has known issues. “The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore,” it stated.
The Tor Project announced in July the launch of a public bug bounty program to encourage security researchers to privately report issues they find in the group’s software. Unlike its previous invite-only bug bounty program, this bounty program is open to all bounty hunters through HackerOne. Last year, through its private bounty program, the Tor Project patched a zero-day vulnerability being exploited in the wild to de-anonymize Tor users.