TorMoil threatens Mac and Linux versions of Tor browser; Windows and Tails not affected.

Mac and Linux versions of the Tor anonymity browser just received a temporary fix for a critical vulnerability that leaks users' IP addresses when they visit certain types of addresses.

TorMoil, as the flaw has been dubbed by its discoverer, is triggered when users click on links that begin with file:// rather than the more common https:// and http:// address prefixes. When the Tor browser for macOS and Linux is in the process of opening such an address, "the operating system may directly connect to the remote host, bypassing Tor Browser," according to a brief blog post published Tuesday by We Are Segment, the security firm that privately reported the bug to Tor developers.

On Friday, members of the Tor Project issued a temporary work-around that plugs that IP leak. Until the final fix is in place, updated versions of the browser may not behave properly when navigating to file:// addresses. They said both the Windows versions of Tor, Tails, and the sandboxed Tor browser that's in alpha testing aren't vulnerable.

"The fix we deployed is just a workaround stopping the leak," Tor officials wrote in a post announcing Friday's release. "As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136."

Friday's post went on to say that We Are Segment CEO Filippo Cavallarin privately reported the vulnerability on October 26. Tor developers worked with Mozilla developers to create a work-around the following day, but it only partially worked. They finished work on a more complete work-around on Tuesday. The post didn't explain why the fix, delivered in Tor browser version 7.0.9 for Mac and Linux users, wasn't issued until Friday, three days later. The Tor browser is based on Mozilla's open-source Firefox browser. The IP leak stems from a Firefox bug.

Tor officials also warned that alpha versions of the Tor browser for Mac and Linux haven't yet received the fix. They said they have tentatively scheduled a patch to go live on Monday for those versions. In the meantime, the officials said, Mac and Linux alpha users should use updated versions of the stable version.

Tor's statement Friday said there's no evidence the flaw has been actively exploited on the Internet or darkweb to obtain the IP addresses or Tor users. Of course, the lack of evidence doesn't mean the flaw wasn't exploited by law enforcement officers, private investigators, or stalkers. And now that a fix is available, it will be easy for adversaries who didn't know about the vulnerability before to create working exploits. Anyone who relies on a Mac or Linux version of the Tor browser to shield their IP address should update as soon as possible and be ready for the possibility, however remote, their IP addresses have already been leaked.