An emergency security fix released for the Tor Browser preventing a user’s IP address from being revealed.
The hole is only in the macOS and Linux versions of the browser, so those users should upgrade to version 7.0.9 (or 7.5a7, for those who use the alpha channel).
The vulnerability, called TorMoil, ended up discovered by We Are Segment chief executive Filippo Cavallarin.
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser,” said a researcher in a post.
The company also said it will not disclose the exploit, but will release more details about the flaw when a solid fix is in place.
The fix the Tor Project released is a temporary workaround.
“The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes,” Tor Browser developers noted.
This fix stalls some of the browser’s functionality. As the developers noted, “navigating file:// URLs in the browser might not work as expected anymore,” and users will have to drag the link into the URL bar or on a tab to make it work.
The Windows version of Tor Browser is not affected by the vulnerability, nor is the Sandboxed Tor Browser or Tails (a Linux distribution that forces all outgoing connections through Tor).