Tor is a browser created for anonymous browsing, protecting the user from being identified for both noble purposes (for example, denunciations against authoritarian governments) and for criminal purposes (drug trafficking and pedophilia, for example). So it’s understandable that the community takes a fright with a bug that was leaking the users’ real IPs.
The bug, dubbed “TorMoil” (a word game with the name of the browser that can be translated as “turbulence”), has been identified in the macOS and Linux versions. It is presented if the user tries to access a specific type of link, starting with “file: //” instead of the more common “http: //” or “https: //” as explained by Ars Technica.
The vulnerability was discovered by a security company called We Are Segment, which reported the breach directly to Tor developers, who handed out a temporary patch that addresses the issue while a final solution is not ready. In practice, it is the famous “gambiarra”.
“The fix we distribute is an alternative solution that prevents leakage. As a result, browsing URLs with ‘file: //’ may not work as expected, “said Tor Project representatives. This way, when you click on links with this prefix or enter them in the address bar, the browser simply will not be able to open them. The alternative offered by the developers is to drag the address with the mouse to the address bar or to a new tab.
It is worth noting that the crash does not reach Tor users in Windows. In addition, the Tor statement says there is no evidence that the breach had been exploited during the time it was open. That said, lack of evidence does not mean that the vulnerability has ever been exploited, so browser users on Linux and Mac should upgrade the browser as soon as possible.