Tor on Linux/Mac may leak IP (update available)

Tor users who use the Tor browser on Linux or Mac OS X devices may want to update the program to version 7.0.9 as soon as possible to plug a potential IP leak in the client software.

Tor browser is a cross-platform browser based on Firefox code that integrates the anonymization network Tor in the browser. The browser features several privacy and security related tweaks, some of which are or have been integrated in Firefox recently as well (for instance Canvas use notifications).

Tor Browser users who use Mac or Linux on devices can download the new browser version from the official Tor Project website. Please note that version 7.0.9 has been released only for those operating systems; the Windows versions of Tor browser is still at version 7.0.8 as it is not affected by the potential IP leak issue.

A new blog post on the official Tor Project blog reveals information about the issue. The issue is caused by a bug in Firefox's handling of file:// URLs according to the announcement.

This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser

Users of Tails and users of the sandboxed Tor browser are not affected by the issue.

The fix may impact file:// URL functionality in the Tor browser. The Tor development team notes that "entering file:// URLs in the URL bar and clicking on resulting links is broken" does not work anymore after the update is installed, and that opening those in a "new tab or new window" does not work anymore either. Affected users can drag the link into the URL bar or on a tab instead as a workaround.

The development team tracks these regressions, and it seems likely that fixes will be released in a future version of the Tor browser to address those.