A serious Tor browser flaw leaks users' real IP addresses

The so-called TorMoil flaw stems from a bug in how Firefox handles local file-based addresses.
Written by Zack Whittaker, Contributor

(Image: file photo)

A newly-discovered bug exposes the real-world IP addresses of those who are using the Tor browser, used by millions for anonymity and private browsing.

The bug, called TorMoil by security firm We Are Segment, which discovered it, is triggered when a user clicks on a local file-based address, like file://, rather than http:// or https://. If a user clicks on a specially crafted web page, "the operating system may directly connect to the remote host, bypassing Tor Browser," said the short vulnerability disclosure report.

The Tor Project, which maintains the anonymity-focused browser app, issued a security release for macOS and Linux users, which are largely affected by the vulnerability.

But the non-profit group said it was "only partially fixed" by blocking access to users who navigate to file:// addresses in the browser.

The bug stems from a Firefox bug (the bug report remains private while a permanent fix is found), which shares code with the Tor Project. Details of the bug are being kept under wraps, by both Tor and the security researchers, until the majority of users update the software.

Tor said that there has been no evidence that the vulnerability is being exploited in the wild.

A permanent bug fix is expected to be released later Monday.

Editorial standards