Tor Browser Bug ‘Could Leak Users’ Real IP Addresses’

The Tor Browser, used to navigate web pages without disclosing the user’s identity, has been hit by a security bug that could leak a user’s real internet address, the project has confirmed.

Security firm We Are Segment notified the Tor project of an issue affecting the Mac and Linux versions of the browser late last month, and an update was released on Friday with a temporary fix.

Researchers said they wouldn’t disclose details of the issue until a permanent fix was available.

But they said the vulnerability affects the way the Firefox browser handles pages using the “file://” protocol, used to navigate file repositories.

Tor network ‘bypassed’

The Tor Browser is based on Mozilla’s Firefox.

“Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser,” We Are Segment said in an advisory.

The Tor project released version 7.0.9 of its browser on Friday, and on Monday patched the alpha testing version of the browser with version 7.5a7.

The project said users of Tails, a privacy-oriented Linux distribution developed by Tor, aren’t affected by the Linux version of the bug, and a sandboxed Tor browser currently in alpha testing is also unaffected.

Workaround

“We are not aware of this vulnerability being exploited in the wild,” Tor developers said in a blog post.

The project said its temporary fix may cause issues with navigating to “file://” addresses, including breaking links found on such pages.

Tor developers said Mozilla is working on a fix for Firefox which will then be incorporated into the Tor Browser.

Tor is used by those looking for anonymity, but has also been “>linked to criminal websites selling contraband such as drugs or outlawed weapons.

The now-defunct Silk Road contraband site operated as a Tor hidden service, taking payments in the Bitcoin cryptocurrency.

Do you know all about security in 2017? Try our quiz!