TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released (bleepingcomputer.com)

Posted by msmash on Friday November 3, 2017 @01:25PM from the privacy-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue -- which he codenamed TorMoil -- to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.

11 of 21 comments (clear)

Min score:

Reason:

Sort:

Windows is not affected by jfdavis668 · 2017-11-03 13:33 · Score: 3, Interesting

Boy, is that a change for once.
1. Re:Windows is not affected by Anonymous Coward · 2017-11-03 14:12 · Score: 2, Interesting
  
  Boy, is that a change for once.
  Yes and I read the article hoping to understand why. Boy was I disappointed.
  Is there a good reason the article does not explain how the exploit works or exactly what the vulnerability was? It does admit that black-hats can easily determine this from reverse-engineering the patch. So really, what exactly is the justification for not disclosing the details to everyone else?
2. Re:Windows is not affected by Anonymous Coward · 2017-11-03 14:43 · Score: 2, Informative
  
  It's still too early to give a post-mortem for non-technical folks. The bug on Bugzilla will be opened when a proper fix is given, and right now only blackhats will want to know the technical details. Until users have updated to a more secure fix than the current work-around, full transparency isn't a good idea.
3. Re:Windows is not affected by arth1 · 2017-11-03 16:47 · Score: 1
  
  and right now only blackhats will want to know the technical details.
  That is so not true. In technical detail, we call this a big fat lie.
  I understand why the details are not disclosed, but I certainly don't agree with the pareto rationale of better protecting the large number of non-technical users at the expense of the security minded who can use the information in a productive way.
4. Re:Windows is not affected by gweihir · 2017-11-03 22:51 · Score: 1
  
  The reason is to give users a few days to patch.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:Windows is not affected by Anonymous Coward · 2017-11-04 05:30 · Score: 1
  
  There is basically nothing stopping any security-minded folks who actually *can* use early information in a productive way from accessing it. Whitehats and other security folks who can actually write patches and resolve issues can easily ask for and gain access to these bugs. So this really is turned around on the people who think like you do: what can you really accomplish with the data that makes it worth the risk? Just because you know a bit about security issues and have a six-digit Slashdot ID doesn't immediately qualify you as a responsible individual who will truly help fix the problem. We collectively lose nothing by having to wait a few more days or weeks until the problem is safely fixed before we know more, unless you simply choose to not trust Tor or Mozilla (at which point why are you using their products for anything security-sensitive?)
Switch to I2P if you are so worried ;-) by williamyf · 2017-11-03 13:35 · Score: 2

But, on a more serious note, as the summary said, Tor browser on windows is not affected. But, as the summary did not say, Tor Browser on TAILS is also not affected.
So, grab an ISO for TAILS 3.12, liveboot it in a VM and keep Tor Browsing away...

--
*** Suerte a todos y Feliz dia!
1. Re:Switch to I2P if you are so worried ;-) by slashrio · 2017-11-03 14:35 · Score: 1
  
  Or Whonix, or QubesOS with a dedicated TOR VM.
  
  --
  "Trump!!", the new Godwin.
2. Re:Switch to I2P if you are so worried ;-) by mikael · 2017-11-04 02:47 · Score: 2
  
  That gives a good clue:
  https://ourcodeworld.com/artic...
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Be careful with tor.... by Anonymous Coward · 2017-11-03 16:22 · Score: 1

People should be careful if depending on this for anything safety critical.
The German spy agency BND developed a system to monitor the Tor network and warned federal agencies that its anonymity is ineffective“.
There are lots of others reasons to treat it with caution. Won't dig up all the links, but this is a real high priority target for security agenies.
Something didn't work on a mac? by slashmydots · 2017-11-04 05:28 · Score: 1

This is my surprised face. Anyway, I'm going to take a wild guess people in oppressively governed areas aren't using Macs but they probably are using Linux so this sucks. I hope it doesn't lead to any arrests or raids.