The Tor Project released a patch fixing an issue that could reveal the correct IP address of MacOS and Linux users using the Tor browser.
A Tor blog post explains that the issue centers on a flaw in how Firefox handles file:// URLs. “Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser,” the blog post explains.
Tor credits Filippo Cavallarin, CEO of We Are Segment, with finding the flaw and reporting it to the Tor Project on Oct. 26. Initially, the Tor Project developed a workaround with Mozilla, before ultimately fixing the problem on Oct. 31 with the release of Tor browser 7.0.9.
No known cases of the flaw being exploited in the wild have been reported.