If you are a using a Tor service in Linux or Mac then here is an important updates for you all. Today, Tor project team have released a patch for the critical security bug that reveals users real IP address.
Filippo Cavallarin CEO of Italian security firm We Are Segment, had discovered this bug and privately reported to Tor project team. He gave name to this bug as "TorMoil".
What you have to DO?
Cavallarin had reported this bug last week and Tor project team have also worked with Firefox team to solve the issue. Tor have already released the patch the bug and released latest version of its browser v7.0.9. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.
What Causes the Bug?
On the blog post Cavallarin have not disclose the technical details of the bug, but he pointed the main cause of TorMoil Bug.
On blog he wrote, the issue is actually a Firefox bug in the way the browser handles file:// URLs. While the issue is harmless in Firefox, it's catastrophic in the Tor Browser.
"Once an affected [Tor Browser] user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser,"- he said.By directly connecting to the page, the Tor Browser will not go through the network of Tor relays, exposing the user's real-world IP address.
Tor team have confirmed that the Vulnerability has been exploited in wild, but they also mentioned this is just a quick fix for the bug. A well known reverse engineering guy can easily get the patch code to know how the bug occurred and can create an exploit for it.
Tor running on Tails OS is not affected and Users using a sandbox version of is also safe.
As this is a quick fix for the bug, some of the users may face problems while using a file:// functionality, hence Firefox team guide to open file:// URLs by dragging and dropping the link into a new tab.