TorMoil Bug; the Tor IP Leak

Tor has been in use for quite a number of years now, and it’s becoming even more popular. This can be attributed to the increased cyber concerns posed by government legislation as well as threats from cybercriminals.

What is Tor and why do people use it?

Tor stands for The Onion Router, and the name was coined from how the system works. Tor works by intercepting traffic generated by an app on your computer, usually the browser, and then shuffles it through a number of random computers before redirecting it to its destination.

Through this process, your IP is masked and therefore your location disguised. This makes it hard for any server to identify you or even tell the number of times you have visited a web page. This makes surveillance and tracking even more difficult, hence increasing your security.

How does the Tor Network keep you safe?

The Tor network is made up of about 7,000 computers located in different places. These computers are referred to as nodes, and your Tor connection uses three of them in a single connection. Not all of them can be termed as reliable, and only about 2000 of them qualify to act as the first node, otherwise known as the ‘entry guard’ into the Tor System. About 1000 others qualify to act the last hop, or the ‘exit node.’

These are the two most sensitive nodes, as the entry guard gets the details of your real IP address and the exit node knows where your traffic is going. The good thing, however, is that the entry guard can’t tell where your traffic is going, and neither can the exit node tell where your traffic is coming from.

Further, there is the middle node which prevents the entry guard and the exit node from colluding and making sense of your traffic. This will mean that even though you can’t trust all the nodes in Tor network, at least they don’t have a way of tracking you themselves.

The TorMoil Bug

Bad news is that the ability of Tor to keep you safe by masking your IP address has been threatened. Tor browser could now give you a false sense of security while thinking that you are protected and kept anonymous.

This is because of a bug that was recently discovered by Filippo Cavallarin, CEO of We Are Segment, an Italian company that specializes in cyber-security and ethical hacking. Cavallarin found a way in which hackers can trick the Tor Browser on Mac OS and Linux systems to browse directly, even when you think that you are connected to the Tor network. The researcher dubbed the bug ‘TorMoil,’ in a bid to reflect the anxiety that it might bring to users in the Tor community.

The TorMoil bug was discovered on both the Firefox browser and the Tor browser. This is because Tor is based on a fork of Firefox. Though the bug has no effect to Firefox users, it has potentially devastating effects to Tor browser users.

By exploiting this bug, a hacker can have you feed on a web link that then forces your browser to send traceable network segments without your knowledge.

This is the kind of thing a cyber-criminal or even a government official could do to gain information about you. This information can then be used to harm you or lay legal proceedings on you.

What causes the IP Leak?

According to Cavallarin, the issue is caused by how the Firefox browser handles file:// URLs.

He said that “Once an affected [Tor Browser] user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.”

When you open the ‘file://’ page, your browser will skip the Tor relays and go directly to the page and therefore expose your actual IP address. On why the bug doesn’t affect Windows users, Cavallarin didn’t say much, but he promised to give more details once a fix is fully implemented.

What’s the Fix?

When Cavallarin identified the fault, he privately reported it to the Tor Project developers. These developers then worked with Firefox and released an update to deal with the fix.

“The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes,” Tor Browser developers noted.

Tor Browser 7.0.9 is the latest fix so far and it prevents your IP address from leaking when you click a ‘file: //’ link.

Tor developers however stated that your browser may handle different files differently, and only a proper fix will solve the problem completely.

“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead.”

In a better word combination, you will need to start dragging file:// links to the URL bar or tab instead of simply clicking on them.

Not Really Exploited

On a more positive note, Tor later on released a statement and said that there hasn’t been any evidence that the flaw has been taken advantage of, and actively exploited on the internet or dark web.

This gives confidence knowing that user IPs were not malicious used, but it doesn’t mean that the IPs didn’t fall in the hands of private investigators, law enforcement officers or stalkers.

This is a critical security issue, and whether you often click file:// links or not, it is highly recommended that you update your Tor browser to the latest version to avoid falling victim to cyber-criminals or exposing yourself to the law.

VPN Adviser
VPN Adviser

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.