A critical vulnerability that could reveal a Tor user’s IP address was addressed over the weekend in the privacy-focused web browser.
Tracked as CVE-2017-16541, the vulnerability only impacted macOS and Linux users and was caused by a Firefox bug in handling file:// URLs. By exploiting the vulnerability, a malicious site could leak a user’s IP address.
“Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser,” a post on the Tor Project’s blog reveals.
The organization also notes that they are not aware of the vulnerability being exploited in the wild.
The vulnerability didn’t affect Windows users and was addressed in Tor Browser 7.0.9 and Tor Browser 7.5a7 in the alpha channel. Tails users and people using the sandboxed-tor-browser weren’t affected either, the browser’s developers explained.
Dubbed TorMoil, the security flaw was reported on October 26 by Filippo Cavallarin of wearesegment.com. Working together with Mozilla engineers, the Tor developers released a workaround the next day, but only resolved the issue partially. An additional fix was issued to patch all known bugs.
“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead,” the blog post continues.
Last week, the Tor Project also announced plans for a series of new features, including “offline service keys, advanced client authorization, a control port interface, improved guard algorithms, secure naming systems, statistics, mixed-latency routing, blockchain support, AI logic and a VR interface.”
These features build on the first alpha release of next generation of onion services, which was announced several weeks ago, following four years of development. Replacing the legacy onion system, which has been around for over 10 years, the new services include new crypto algorithms, improved authentication schemes, better defenses against info leaks, and reduced overall attack surface.
The legacy system will remain the default option for some more time, to provide users with enough time to migrate to the next generation. After bugs are addressed and features introduced, the next gen system will become default, and then the legacy system will be phased out entirely.
Related: Zerodium Offers $1 Million for Tor Browser Exploits
Related: Tor Offers $4,000 Per Flaw in Public Bug Bounty Program