People who use the Tor anonymity browser on Mac or Linux machines are being warned to update their Tor browser. A vulnerability has been found in the browser. It allows attackers to discover the real IP addresses of supposedly anonymous Tor users. The vulnerability was discovered by an Italian security researcher called Filippo Cavallarin.
TorMoil is only exploitable on Linux and Mac machines. The exploit is caused by a Firefox vulnerability that was carried forward into the Tor browser (which is based on Firefox).
How Does Tor Work?
When you connect to the Tor network, your traffic connects to a number of volunteer computers around the world. The traffic enters via an “entry guard,” travels to various “nodes,” then exits via an “exit node.” In total, there are around 7,000 volunteer computers keeping the Tor anonymity network up and running.
Due to the way that Tor works, only the entry guard node knows the user’s true IP address. In addition, only the exit node knows where the traffic is going. Due to the circuit of nodes that the traffic passes through (between the entry and exit nodes), it is almost impossible for anyone to trace Tor packets and figure out who is doing what online.
Sadly for Tor users on Linux and Mac machines, TorMoil means that this system can be attacked and their true IP addresses discovered. For those users, the vulnerability is hugely concerning because an IP address is enough to reveal their true location and identity.
The good news is that the zero-day vulnerability has now been temporarily patched by Tor developers (Tor version 7.0.8 and later). Linux and Mac users are being urged to update their Tor browser in order to protect themselves from the critical flaw.
How TorMoil Works
The Italian security researcher has revealed that TorMoil can cause Mac and Linux systems to leak their real IP address when certain types of web addresses are visited. Specifically, the vulnerability exposes users when they access web addresses and links that begin with file://
According to a blog by the security firm We Are Segment, when the Tor browser opens links that start with the file:// prefix, "the operating system may directly connect to the remote host, bypassing Tor Browser." This permits an attacker exploiting TorMoil to discover the user’s real IP address. Tor developers say that the temporary workaround may cause Tor to be a bit buggy when users visit file:// addresses:
"The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136."
The good news is that, on this occasion, Windows users are not affected by the vulnerability. Tor developers have confirmed that neither the Windows versions of Tor, Tails, nor the sandboxed Tor browser (currently in alpha) are vulnerable.
Who Else Might Be Affected?
Cavallarin discovered the vulnerability in October. At that time, he managed to force Firefox on Linux and Mac to browse directly, despite being told not to. He realized that the vulnerability meant that cybercriminals could send users a malevolent link that forces Firefox to send traceable packets of information. Due to the fact that the Tor browser was designed from an original version of Firefox, Cavallarin quickly realized that the exploit was critical and contacted Tor.
Although this vulnerability has been temporarily plugged in Tor, at the moment Firefox has not issued a fix. This means that Firefox users who use Virtual Private Network (VPN) browser extensions (not dedicated operating system level VPNs, which are fine) and proxy plugins are also vulnerable to this attack. Cavallarin told me:
Firefox is affected as well and the dev team is working on a definitive fix for both Firefox and Tor Browser. The point is: Tor Browser issued a temporary workaround since they needed to release a patch ASAP while the Firefox team is still working on the fix. So yes, Firefox users using VPN or Proxy extensions are affected. This is the reason why we didn’t release all the information and exploit code. The release note of Tor Browser links to the Mozilla bug tracker used to manage this bug, but the link is not public yet.
As such, Firefox users (on Linux and Mac operating systems) should look out for the forthcoming Firefox fix for the vulnerability. It is not currently known when that update will become available, so users need to be aware that their Firefox privacy extensions could be bypassed with this exploit, exposing their true IP address.
What's more, some VPN providers mistakenly refer to their browser proxy extensions as VPNs (which is incorrect and hugely confusing for consumers). If your VPN is running in your Firefox browser (as opposed to using a custom VPN client), then it is possible that your Firefox extension is vulnerable to attack. You have been warned.