By Tor browser had raised an emergency security bug fix issue for a critical vulnerability. It is capable to leak users’ IP addresses while they visit specific sorts of addresses. The flaw occurred in the browser was reported by Filippo Cavallarin, the CEO of We Are Segment security firm and dubbed TorMoil.
About Vulnerability
Although, it was a temporary the segment has not revealed the whole facts of the exploit. The bug still remains present only in the macOS and Linux versions of the browser. They have announced that once they got a suitable fix for the flaw, it will be shared by all the users. Such users who use the alpha channel are recommended to at once upgrade as 7.0.9 or 7.5a7 version.
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser,” the ethical hacking company explained, and said that they will refrain from disclosing the exploit and more details about the flaw until a proper fix is put in place.
The fixes comprised in the above-mentioned versions of Tor Browser for macOS and Linux is a not permanent work-around.
“The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes,” Tor Browser developers noted.
Such fixes is merely a temporary and can overcome soon and it halts the functionality of few browsers.
As the developers noted, “navigating file:// URLs in the browser might not work as expected anymore,” and users will have to drag the link into the URL bar or on a tab to make it work.
They also describe that they are not conscious of this vulnerability being oppressed in the wild. But, we cannot just ignore the fact. The users of Linux and macOS should upgrade their browsers to 7.0.9 or 7.5a7 version. Also, the Windows version of Tor Browser has not been disturbed by the vulnerability nor is the Sandboxed Tor Browser or Tails.
The Tor Project
The Tor Project offered the next-generation of its onion service system happened last week. It will remain in owing time, supersede the bequest system completely.
“The new system is a well needed improvement that fixes many shortcomings of the old design, and builds a solid foundation for future onion work,” the developers noted. “On the cryptography side, we are looking at cutting-edge crypto algorithms and improved authentication schemes. On the protocol end, we redesigned the directory system to defend against info leaks and reduce the overall attack surface. Now, from an engineer’s perspective, the new protocol is way more extensible and features a cleaner codebase. And finally from the casual user’s PoV, the only thing that changes is that new onions are bigger, tastier and they now look like this: 7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion.”