Discovered by Italian security researcher Filippo Cavallarin, the vulnerability resides in FireFox that eventually also affects Tor Browser, since the privacy-aware service that allows users to surf the web anonymously uses FireFox at its core.
Dubbed by the researcher as TorMoil, the vulnerability affects Tor browser for macOS and Linux and not for Windows, but keeping in mind the security and privacy of Tor users, details about this flaw has not been yet publicly revealed.
Cavallarin, CEO of the security firm We Are Segment, privately reported the security vulnerability to Tor developers on Thursday (October 26), and the Tor developers have rolled out an emergency update Tor version 7.0.8.
According to a short blog post published Tuesday by We Are Segment, the TorMoil vulnerability is due to a Firefox issue in “handling file:// URLs.”
Important: Tor Browser 7.0.9 is released (Linux/MacOS users) – Fixes a critical security flaw that leaks IP address https://t.co/gITj8F7DnW
— The Hacker News (@TheHackersNews) November 3, 2017
TorMoil is triggered when users click on links that begin with file:// addresses, instead of the more common https:// and http:// addresses.
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address,” the blog post reads.
“Once an affected user [running macOS or Linux system] navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.”
The Tor Project has currently issued a temporary workaround to prevent the real IP leakage.
So, macOS and Linux users may found the updated versions of the Tor anonymity browser not behaving properly while navigating to file:// addresses, until a permanent patch becomes available.
“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken,” the Tor Project said in a blog post published Friday.
“Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.”
According to the Tor Project, users of both the Windows versions of Tor, Tails and the sandboxed-tor-browser that’s in alpha testing are not affected.
The Tor Project also said there’s no evidence the TorMoil vulnerability has been actively exploited by hackers to obtain the IP addresses of Tor users.
However, lack of evidence does not prove the bug was not exploited by nation-state attackers and skilled hackers, given the high-demand of Tor zero-day exploit in the market, where Zerodium is ready to pay anyone $1 Million for its exploit.
In an attempt to keep its users’ privacy protected, the Tor Project has recently announced the release of Tor 0.3.2.1-alpha that includes support for the next generation onion services, with the integration of new cutting-edge encryption and improvement of overall authentication into its web service.
Source : THN