A serious Tor browser flaw leaks users’ real IP addresses

0
164

0

(Image: file photo)

A newly-discovered bug exposes the real-world IP addresses of those who are using the Tor browser, used by millions for anonymity and private browsing.

The bug, called TorMoil by security firm We Are Segment, which discovered it, is triggered when a user clicks on a local file-based address, like file://, rather than http:// or https://. If a user clicks on a specially crafted web page, “the operating system may directly connect to the remote host, bypassing Tor Browser,” said the short vulnerability disclosure report.

The Tor Project, which maintains the anonymity-focused browser app, issued a security release for macOS and Linux users, which are largely affected by the vulnerability.

But the non-profit group said it was “only partially fixed” by blocking access to users who navigate to file:// addresses in the browser.

The bug stems from a Firefox bug (the bug report remains private while a permanent fix is found), which shares code with the Tor Project. Details of the bug are being kept under wraps, by both Tor and the security researchers, until the majority of users update the software.

Tor said that there has been no evidence that the vulnerability is being exploited in the wild.

A permanent bug fix is expected to be released later Monday.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

ZDNET INVESTIGATIONS

Leaked TSA documents reveal New York airport’s wave of security lapses

US government pushed tech firms to hand over source code

At the US border: Discriminated, detained, searched, interrogated

Millions of Verizon customer records exposed in security lapse

Meet the shadowy tech brokers that deliver your data to the NSA

Inside the global terror watchlist that secretly shadows millions

FCC chairman voted to sell your browsing history — so we asked to see his

With a single wiretap order, US authorities listened in on 3.3 million phone calls

198 million Americans hit by ‘largest ever’ voter records leak

Britain has passed the ‘most extreme surveillance law ever passed in a democracy’

Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it

Leaked document reveals UK plans for wider internet surveillance

Related Topics:

Security TV

Data Management

CXO

Data Centers

0