Connect with us

Hi, what are you looking for?



Bug in Tor Browser Exposed IP Addresses of macOS and Linux Users

A critical vulnerability that could reveal a Tor user’s IP address was addressed over the weekend in the privacy-focused web browser.

A critical vulnerability that could reveal a Tor user’s IP address was addressed over the weekend in the privacy-focused web browser.

Tracked as CVE-2017-16541, the vulnerability only impacted macOS and Linux users and was caused by a Firefox bug in handling file:// URLs. By exploiting the vulnerability, a malicious site could leak a user’s IP address.

“Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser,” a post on the Tor Project’s blog reveals.

The organization also notes that they are not aware of the vulnerability being exploited in the wild.

The vulnerability didn’t affect Windows users and was addressed in Tor Browser 7.0.9 and Tor Browser 7.5a7 in the alpha channel. Tails users and people using the sandboxed-tor-browser weren’t affected either, the browser’s developers explained.

Dubbed TorMoil, the security flaw was reported on October 26 by Filippo Cavallarin of Working together with Mozilla engineers, the Tor developers released a workaround the next day, but only resolved the issue partially. An additional fix was issued to patch all known bugs.

“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead,” the blog post continues.

Last week, the Tor Project also announced plans for a series of new features, including “offline service keys, advanced client authorization, a control port interface, improved guard algorithms, secure naming systems, statistics, mixed-latency routing, blockchain support, AI logic and a VR interface.”

Advertisement. Scroll to continue reading.

These features build on the first alpha release of next generation of onion services, which was announced several weeks ago, following four years of development. Replacing the legacy onion system, which has been around for over 10 years, the new services include new crypto algorithms, improved authentication schemes, better defenses against info leaks, and reduced overall attack surface.

The legacy system will remain the default option for some more time, to provide users with enough time to migrate to the next generation. After bugs are addressed and features introduced, the next gen system will become default, and then the legacy system will be phased out entirely.

Related: Zerodium Offers $1 Million for Tor Browser Exploits

Related: Tor Offers $4,000 Per Flaw in Public Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.