Due to a bug in the Firefox browser, Tor was leaking the ip addresses of its users if they made a mistake.
The bug was discovered by the Italian security researcher Filippo Cavallarin. The vulnerability resides in FireFox and eventually also affects Tor Browser, since the famous privacy-aware service that allows users to surf the web anonymously uses FireFox at its core.
Dubbed by the researcher as TorMoil, the vulnerability affects Tor browser for macOS and Linux and not for Windows, but the details of the flaw have not been publicly released, out of respect for the security and privacy of Tor users.
TorMoil is triggered when users click on links that begin with file:// addresses, instead of the more common used https:// and http:// addresses.
Tor released a fix for this shortly after:
“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken,” the Tor Project said in a blog post.
“Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.”
Tor’s statement said there is no evidence that the flaw has been actively exploited on the Internet or darkweb to obtain the IP addresses or Tor users. Of course, the lack of evidence doesn’t mean the flaw wasn’t exploited by law enforcement officers, private investigators, or stalkers. And now that a fix is available, it will be easy for adversaries who didn’t know about the vulnerability before to create working exploits.
The company finally released an updated version for the browser here. The new version is called Tor Brfrowser 7.0.9. Since Windows users were not affected, they stay on the older version 7.0.8. But if you do not know wich version you have, since the bug was discovered on Thursday, October 26, by Filippo Cavallarin, everyone who installed the Tor browser before this date should update to the latest version.