The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses.
The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking.
Cavallarin privately reported the issue — which he codenamed TorMoil — to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix.
Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.
According to Cavallarin, the issue is actually a Firefox bug in the way the browser handles file:// URLs. While the issue is harmless in Firefox, it's catastrophic in the Tor Browser.
"Once an affected [Tor Browser] user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser," Cavallarin said.
By directly connecting to the page, the Tor Browser will not go through the network of Tor relays, exposing the user's real-world IP address.
"We are not aware of this vulnerability being exploited in the wild," the Tor Project said today in a statement. Nonetheless, an attacker can reverse engineer the Tor Browser binary and detect the patched code. A well-versed programmer can then very easily understand how the bug occurs and create an exploit for it.
While most Linux users are affected, the Tor Project team said that Linux users running Tor Browser on the Tails OS distro are not affected, as well as users utilizing the (still alpha-stage) sandboxed version of the Tor Browser.
Tor developers also added that the patch they delivered to fix the IP leak is only a workaround — put together in a hurry to stop the leak as soon as possible — and file:// URL functionality may be broken for Tor Browser users in some situations. According to Tor Browser developers, users may be able to open file:// URLs by dragging and dropping the link into a new tab.