Skip to main content

TorMoil Vulnerability Leaks Real IP Address from Tor Browser Users

The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses.

The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking.

Cavallarin privately reported the issue — which he codenamed TorMoil — to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix.

Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.

IP leak caused by "file://" links

According to Cavallarin, the issue is actually a Firefox bug in the way the browser handles file:// URLs. While the issue is harmless in Firefox, it's catastrophic in the Tor Browser.

"Once an affected [Tor Browser] user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser," Cavallarin said.

By directly connecting to the page, the Tor Browser will not go through the network of Tor relays, exposing the user's real-world IP address.

TorMoil not (yet) exploited in the wild

"We are not aware of this vulnerability being exploited in the wild," the Tor Project said today in a statement. Nonetheless, an attacker can reverse engineer the Tor Browser binary and detect the patched code. A well-versed programmer can then very easily understand how the bug occurs and create an exploit for it.

While most Linux users are affected, the Tor Project team said that Linux users running Tor Browser on the Tails OS distro are not affected, as well as users utilizing the (still alpha-stage) sandboxed version of the Tor Browser.

Tor developers also added that the patch they delivered to fix the IP leak is only a workaround — put together in a hurry to stop the leak as soon as possible — and file:// URL functionality may be broken for Tor Browser users in some situations. According to Tor Browser developers, users may be able to open file:// URLs by dragging and dropping the link into a new tab.

Labels:

Comments

Post a Comment

Popular posts from this blog

Floyd Mayweather Baby Mama Sues for $20 Mil ... He's a Despicable Liar

Floyd Mayweather could lose tens of millions of dollars from his big payday if his baby mama gets her way ... because she's just filed a lawsuit claiming he ruined her with lies to save his own ass. Josie Harris, who has 3 kids with Floyd, claims he lied through his teeth in an interview with Katie Couric just 2 weeks before the big fight ... when he claimed Josie was in a drug-fueled rage and he had to "restrain" her during their infamous 2010 domestic violence incident. Point of fact ... Floyd was convicted of domestic violence and spent two months in jail. Josie recounts her terror in the lawsuit, explaining how she and Floyd had broken up ... but he flew into a jealous rage that night, broke into her home and viciously attacked her while she was sleeping on her couch ... and her kids saw part of the beating. Harris says she is now labeled a drug addict thanks to Mayweather's lies -- and was embarrassed and humiliated on a global scale.   Her lawyer, Dan Friedl...
Post a Comment
Read more

Dangerous sex Positions For Men

The most common cause of pénile injury is found among the variety of potentially dangerous positions used for séxual intercourse. The most popular is the ‘woman-on-top’. This type of position can result in an impact between the pénis against the female pelvis or perineum that can easily traumatize the pénile cylinders. A pénis becomes érect when the lining of the cylinder within it is engorged with blood.  A pénis fracture can occur when there is trauma to the eréct pénis, resulting in a rupture of the cylinder lining. This very painful injury is often accompanied by an abrupt, distressing cracking noise that is immediately followed by dark bruising of the pénis due to blood escaping the cylinder. In ten to 30% of pénis fractures, the urethra is damaged and blood may be visible at the urinary opening. Given these signs, an injury should be relatively simple to diagnose, right? You would be surprised, even with the unsettling sounds of a fracture occurring, many men...
Post a Comment
Read more

Google Authenticator, a formidable layer of protection to your account.

​Google Authenticator is a free security app that can protect your accounts against password theft. It's easy to set up and can be used in a process called two-factor authentication (2FA) offered on popular social media services like Gmail, Facebook, Twitter, Instagram, etc.  The app ( iOS / Android ) generates a random code used to verify your identity when you're logging into various services. The code can technically be sent to your phone via text message every time— but the Google Authenticator app provides an extra level of security.  SMS-based 2FA has a  known security flaw , and any devoted hacker can attempt to  socially engineer  an attack against your phone company. The Google Authenticator app eliminates the possibility of an SMS-based attack  using algorithms  to generate the codes on your phone. Here's how to set it up: 1. Download Google Authenticator from either the Apple App Store or the Android Google Play store. It's free. 2. Nex...
Post a Comment
Read more