Certain users of the privacy-minded Tor web browser should download the app's latest update, which adds a temporary fix to prevent the browser from leaking identifying information, namely IP addresses. The TorMoil bug, as named by the security research company that discovered the vulnerability, We Are Segment, can take advantage of a flaw in the browser to uncover a user's real IP address, outing anonymous browsers should they click on a particular type of link.
Image credit: Dean Mouhtaropoulos/Getty
Your Real IP Could Be Leaked
The IP address leaking issue only affects Tor browsers on Mac and Linux devices (Windows and Tails Tor users are safe for now). We Are Segment CEO Filippo Cavallarin identified the issue as a bug in the way the Tor browser (built atop a version of Firefox) deals with links beginning with the "file://" handler. Why Windows or Tails Tor users are unaffected is unclear, but Cavallarin plans to share more details about the flaw after a proper fix has been implemented. Tor handles http:// and https:// links by sending your traffic through Tor's network of volunteer-operated virtual tunnels to anonymise it. Clicking a file:// URL would, instead of routing it through the proper privacy-minded servers, allow the operating system to connect directly to the remote host, revealing the user's IP address.
Update Now, But Expect Another Update Soon
The newest update, Tor browser 7.0.9, fixes the TorMoil bug, and prevents your IP address from leaking when you select a file:// link. According to Tor, however, your browser may handle the files differently until a proper fix is put into place:
The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead.
In short, you'll need to start dragging file:// links to the URL bar or tab instead of simply clicking on them. Whether you often click file:// links or not, you should update your Tor browser to the most current stable version to prevent yourself from potentially falling victim to the identity-exposing bug.
Critical Tor flaw leaks users' real IP address - update now [Ars Technica]