TorMoil Bug Exposes Tor Browser Users’ Real IP Address

command lines on a monitor
A critical vulnerability that leaks IP addresses on Linux and Mac devices has been found in the Tor browser. It stems from an unpatched Firefox bug.

Recently, the number of exploits associated with the Tor anonymity browser has been on the rise.

Among these vulnerabilities is the newly discovered “TorMoil” bug that exposes real-world Internet Protocol (IP) addresses of those using Tor for encrypted browsing.

An Italian security firm called We Are Segment first spotted the flaw.

In a write-up explaining their findings, they say the bug originates from how Firefox handles local file-based addresses (file:// URLs).

Since Tor is built on a modified Firefox Extended Support Release, the flaw carries over to the Tor browser as well.

Aside from publishing a short press release, We Are Segment CEO Filippo Cavallarin did not reveal any significant details about this vulnerability to the public.

Instead, the team reported the issue directly to the Tor Project, a non-profit group that maintains the anonymity-centered Tor browser platform.

We Are Segment provided a record of this advisory on its website.

According to We Are Segment security experts, the bug resides on Firefox and eventually affects Tor users who click on local addresses such as file:// rather than HTTP://.

The TorMoil flaw then compromises users’ anonymity and can potentially leak their IP address to attackers upon visiting malicious web pages.

However, the flaw does not affect Windows users.

Upon receiving a notification about this vulnerability, The Tor Project’s developer team worked up a temporary fix—Tor version 7.0.9 for Linux and Mac users.

The release accompanied a few paragraphs containing details of the TorMoil flaw, along with some notes on why Linux and Mac users should update their Tor browsers for security reasons.

In We are Segment’s disclosure report, the team pointed out that the TorMoil vulnerability is harmless in Firefox but catastrophic in the Tor anonymity browser.

For example, once a user on the affected systems (MacOS or Linux) navigates to a peculiarly crafted web page with the file:// address, the underlying operating system directly connects to the remote host or server, thereby bypassing the Tor browser.

By connecting to the page directly, the Tor browser does not go through its relay network. In this process, this can ultimately end up exposing users’ real-time IP address.

screen with Microsoft Windows
Windows users are not affected

In the response that accompanied the security fix, Tor developers further acknowledged the critical flaw on Linux and Mac systems, and confirmed it does not affect Windows users.

The team also stated that users running Tor on the Tails OS and the sandboxed (still alpha-stage) version of the Tor browser are not affected.

Although no harm has been caused at the time of writing, they say an attacker can perform reverse engineering on the Tor browser to detect the patched code.

They noted that well-versed programmers could easily understand how the TorMoil bug occurs, and they could potentially create an exploit for it as well.

That’s why Tor rolled out a partial emergency fix for this particular security vulnerability.

Although Tor developers said there is no evidence that the TorMoil flaw is being exploited in the wild, researchers choose to keep details of the flaw classified over concerns of the security and privacy of Tor browser users.

The exact bug details will only be revealed when a permanent fix has been released to effectively stop the potential leak of IP addresses.

However, Tor advises users to assume that their real IP addresses may have been exposed or might leak in the future, and they should upgrade to the latest versions as soon as possible.

While users on the stable version of the browser for Linux and MacOS have been updated to Tor version 7.0.9, Mac and Linux users on the alpha channels should upgrade to Tor version 7.5a7.

In a bid to keep users’ anonymity and privacy protected, Tor Project announced their plans to release a series of new security features including new cutting-edge encryption system, advanced client authorization, offline service keys and a control port interface.

Other features include secure naming systems, improved guard algorithms, statistics, blockchain support, mixed-latency routing, virtual reality interface and artificial intelligence logic.

These features are set to build on the Tor version release that was rolled out in September. This version supports next-generation onion services, following four years of development.

The new releases are all part of the larger 0.3.2.x series. The series will, by default, replace the legacy onion system that has been in existence for over ten years.

Still, users should know that Tor vulnerabilities are continuing to arise over time. Despite this, you can still protect your security by using a VPN (Virtual Private Network) alongside the Tor browser.

This provides double protection and keeps you safe from any privacy and security-related threats that may find your device.