Mac and Linux users; it is time to update your Tor browsers! While Windows and Tail users are unaffected, Mac and Linux users are urged to install the update to upgrade to Tor Browser 7.0.9 in order to patch a vulnerability leaking real IP addresses of users.
Based on a post by The Tor Project, due to a Firefox bug in handling ‘file://’ URLs, it is possible on both systems that users leak their IP address. Once an affected Tor Browser user navigates to a specially crafted webpage, the operating system may directly connect to the remote host, bypassing Tor Browser.
When the users directly connect to the page, the Tor Browser will not go through the network of Tor relays, thereby exposing the users’ real IP addresses.
Codenamed TorMoil, the flaw was first spotted by Filippo Cavallarin, CEO of We Are Segment cybersecurity firm who reported it to The Tor Project. The Tor Project team said it has created a workaround with the help of the Mozilla engineering team (Tor Browser is based on the Firefox browser) and has now released a fix supposedly plugging all holes, although they are unware if this vulnerability has been exploited in the wild.
In any case, Tor Browser developers state that a workaround to opening file:// URLs is by dragging and dropping the link into a new tab.