Slashdot Mirror

← Back to Stories (view on slashdot.org)

TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released (bleepingcomputer.com)

Posted by msmash on from the privacy-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue -- which he codenamed TorMoil -- to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.

21 comments

  1. Windows is not affected by jfdavis668 · · Score: 3, Interesting

    Boy, is that a change for once.

    1. Re:Windows is not affected by Anonymous Coward · · Score: 2, Interesting

      Boy, is that a change for once.

      Yes and I read the article hoping to understand why. Boy was I disappointed.

      Is there a good reason the article does not explain how the exploit works or exactly what the vulnerability was? It does admit that black-hats can easily determine this from reverse-engineering the patch. So really, what exactly is the justification for not disclosing the details to everyone else?

    2. Re:Windows is not affected by Anonymous Coward · · Score: 2, Informative

      It's still too early to give a post-mortem for non-technical folks. The bug on Bugzilla will be opened when a proper fix is given, and right now only blackhats will want to know the technical details. Until users have updated to a more secure fix than the current work-around, full transparency isn't a good idea.

    3. Re:Windows is not affected by arth1 · · Score: 1

      and right now only blackhats will want to know the technical details.

      That is so not true. In technical detail, we call this a big fat lie.

      I understand why the details are not disclosed, but I certainly don't agree with the pareto rationale of better protecting the large number of non-technical users at the expense of the security minded who can use the information in a productive way.

    4. Re:Windows is not affected by gweihir · · Score: 1

      The reason is to give users a few days to patch.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Windows is not affected by Anonymous Coward · · Score: 1

      There is basically nothing stopping any security-minded folks who actually *can* use early information in a productive way from accessing it. Whitehats and other security folks who can actually write patches and resolve issues can easily ask for and gain access to these bugs. So this really is turned around on the people who think like you do: what can you really accomplish with the data that makes it worth the risk? Just because you know a bit about security issues and have a six-digit Slashdot ID doesn't immediately qualify you as a responsible individual who will truly help fix the problem. We collectively lose nothing by having to wait a few more days or weeks until the problem is safely fixed before we know more, unless you simply choose to not trust Tor or Mozilla (at which point why are you using their products for anything security-sensitive?)

    6. Re:Windows is not affected by Anonymous Coward · · Score: 0

      Probably some other backdoor to accomplish the task already exists like comparing keylogger data.

    7. Re: Windows is not affected by Anonymous Coward · · Score: 0

      You are a huge faggot.

  2. Switch to I2P if you are so worried ;-) by williamyf · · Score: 2

    But, on a more serious note, as the summary said, Tor browser on windows is not affected. But, as the summary did not say, Tor Browser on TAILS is also not affected.

    So, grab an ISO for TAILS 3.12, liveboot it in a VM and keep Tor Browsing away...

    --
    *** Suerte a todos y Feliz dia!
    1. Re:Switch to I2P if you are so worried ;-) by slashrio · · Score: 1

      Or Whonix, or QubesOS with a dedicated TOR VM.

      --
      "Trump!!", the new Godwin.
    2. Re:Switch to I2P if you are so worried ;-) by mikael · · Score: 2

      That gives a good clue:

      https://ourcodeworld.com/artic...

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  3. Where was that supposed to go by Anonymous Coward · · Score: 0

    ?there?

  4. Be careful with tor.... by Anonymous Coward · · Score: 1

    People should be careful if depending on this for anything safety critical.

    The German spy agency BND developed a system to monitor the Tor network and warned federal agencies that its anonymity is ineffective“.

    There are lots of others reasons to treat it with caution. Won't dig up all the links, but this is a real high priority target for security agenies.

    1. Re:Be careful with tor.... by Anonymous Coward · · Score: 0

      Or it could be disinformation.

    2. Re:Be careful with tor.... by Anonymous Coward · · Score: 0

      If you try and read slashdot using Tor, and the Tor exit node happens to be in France, you get a slashdot warning about privacy laws in France... Even those fancy spinning Earth globes that show current visitors also shows the location of the exit node, as well as other visitors.

  5. pedophile scum by Anonymous Coward · · Score: 0

    you must be very stupid to don't realize that a server needs a IP address to send information to a client. there's no way you can hide. tor is a myth and you all must die.

    1. Re:pedophile scum by Anonymous Coward · · Score: 0

      so how do you find a weed grower that (illegally) spikes his product for excess profit only to poison his customers, if the weed-grower sells to a dealer who sells to a sub-dealer who sells to some down the road local weed-dealer?

      solution is easy: just follow the degrading level of poisond brain-cells until you reach the guy putting in all the excess nitrogen and insecticide ...

  6. Something didn't work on a mac? by slashmydots · · Score: 1

    This is my surprised face. Anyway, I'm going to take a wild guess people in oppressively governed areas aren't using Macs but they probably are using Linux so this sucks. I hope it doesn't lead to any arrests or raids.

  7. Tor Browser without Tails is a bad idea by Anonymous Coward · · Score: 0

    Unless you have a good idea what you are doing in configuring your system yourself is probably unwise if you need the protection of Tor. It's not entirely clear to me, but I don't think there has been a single vulnerability which would have impacted my setup and I don't think Tails has been impacted by any major issue either. At the end of the day these underlying tools are huge and not designed for anonymity and privacy. Which means everything has to be cordoned off at the lowest of levels. I trust Tor is being analysed thoroughly because it is a high profile target. It's much easier to secure smaller bits of code. I don't trust Firefox. It's got a lot of eyes on it, but it is also a huge code base. In the most secure setup a compromise of even the operating system at the end of the day should not result in a leak. However such setups are tricky and involve removal of web cams, microphones, wireless cards, execution on systems that don't spy on you, and have middle components (router-like devices) running the bare minimum of components segregating off what can't be secured from what can be (ie the code on the router-like device from that code which can't be the desktop operating system, firefox, etc).

  8. Don't use any Tails newer than 1.4.1 by Anonymous Coward · · Score: 0

    This is the last safe Tails, forget all of the rest.

    https://www.sendspace.com/file/yz3r12

    Same as here. https://kickass.cd/tails-1-4-1-tor-tt12109343.html

    CORRECT HASH: c7bf55250ca7a7ad897fd219af6ef3d4768be54fb3e2537abb3da8f7f4ed8913

    Later versions were compromised by the US gov. (You would think NSA but it was CIA.) Snowden and all that. The build tools are compromised and so is tails.boum.org now. Don't ever expect it not to be either.

    On Android/iOS check out Zom. You can run it through Orbot too.

    1. Re:Don't use any Tails newer than 1.4.1 by Anonymous Coward · · Score: 0

      So how can we be sure that you didn't poison this version on the link you've provided?