Users of Tor anonymity browser on Mac or Linux have been urged to update Tor browsers. This comes after a vulnerability was found in the browser. The vulnerability allows attackers to discover the real IP addresses of supposedly anonymous Tor users. Italian security researcher called Filippo Cavallarin discovered the weakness. TorMoil is only exploitable on Linux and Mac machines and was caused by a Firefox vulnerability.
It was then carried forward into the Tor browser. Tor is based on Firefox. Tor works by connecting to a network of volunteer computers around the world. The traffic enters through an entry guard before traveling through various nodes. It then exits through an exit node.
In total, there are around 7000 volunteer computers. These keep the Tor anonymity network up and running. Only the entry guard node knows the user’s true IP address and only the exit node knows where the traffic is going.
As a result of the circuit of nodes that the traffic passes through it is almost impossible for anyone to trace Tor packets. Unfortunately for Tor users on Linux and Mac machines, TorMoil means that the system can be attacked. The result of which will be the discovery of their true IP addresses. The vulnerability is hugely concerning. An IP address is enough to reveal their true location and identity of the user. But there is good news. A zero-day vulnerability has been temporarily patched by Tor developers. This is available to download and will be Tor version 7.0.8 and later.
TorMoil Works by leaking real IP address when certain types of web addresses are visited from Mac and Linux systems. The vulnerability specifically exposes users when they access web addresses and links that begin with file://.
When the Tor browser opens links that start with the file:// prefix, the operating system can directly connect to the remote host. This bypasses the Tor Browser and permits an attacker using TorMoil to discover the user’s real IP address.
Tor developers say the temporary workaround may cause Tor to be a bit buggy when users visit file:// addresses. Although this vulnerability has been temporarily fixed in Tor, FireFox has not issued a fix. This means that FireFox users who use Virtual Private Network (VPN) browser extensions and proxy plugins are also vulnerable to this attack.
The development team at FireFox is working on a definitive fix for both FireFox and Tor Browser. It is not known when that update will be available. Users are asked to take note that their FireFox privacy extensions could be bypassed with this exploit. If a VPN is running in the Firefox browser and not using a custom VPN client, then it is possible that the FireFox extension is vulnerable to attack.
There is good news for Windows users. Tor developers have confirmed that neither the Windows versions of Tor, Tails nor the sandboxed Tor browser are vulnerable.