A serious Tor browser flaw leaks users' real IP addresses

The so-called TorMoil flaw stems from a bug in how Firefox handles local file-based addresses.

(Image: file photo)

A newly-discovered bug exposes the real-world IP addresses of those who are using the Tor browser, used by millions for anonymity and private browsing.

The bug, called TorMoil by security firm We Are Segment, which discovered it, is triggered when a user clicks on a local file-based address, like file://, rather than http:// or https://. If a user clicks on a specially crafted web page, "the operating system may directly connect to the remote host, bypassing Tor Browser," said the short vulnerability disclosure report.

The Tor Project, which maintains the anonymity-focused browser app, issued a security release for macOS and Linux users, which are largely affected by the vulnerability.

But the non-profit group said it was "only partially fixed" by blocking access to users who navigate to file:// addresses in the browser.

The bug stems from a Firefox bug (the bug report remains private while a permanent fix is found), which shares code with the Tor Project. Details of the bug are being kept under wraps, by both Tor and the security researchers, until the majority of users update the software.

Tor said that there has been no evidence that the vulnerability is being exploited in the wild.

A permanent bug fix is expected to be released later Monday.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All