Submitted via IRC for SoyCow1984
TorMoil, as the flaw has been dubbed by its discoverer, is triggered when users click on links that begin with file:// rather than the more common https:// and http:// address prefixes. When the Tor browser for macOS and Linux is in the process of opening such an address, "the operating system may directly connect to the remote host, bypassing Tor Browser," according to a brief blog post published Tuesday by We Are Segment, the security firm that privately reported the bug to Tor developers.
On Friday, members of the Tor Project issued a temporary work-around that plugs that IP leak. Until the final fix is in place, updated versions of the browser may not behave properly when navigating to file:// addresses. They said both the Windows versions of Tor, Tails, and the sandboxed Tor browser that's in alpha testing aren't vulnerable.
(Score: 0) by Anonymous Coward on Wednesday November 08 2017, @02:10PM
My thoughts were similar when I read the post. One would think that this field is protocol specific, in which case "file://" shouldn't actually have a bound protocol at all.
But perhaps not. Maybe Mozilla uses this field more generically. Which wouldn't surprise me. Around IE4, things started getting real hinky. IE4 pretty much implemented everything in the most busted way possible, and other browsers decided to emulate broken functionality to give an appearance of compatibility. Of course that was the wrong move. And what resulted was what Redmond wanted: A totally busted insecure web.
If this is a hole, it is a stupidly big one. But it isn't a surprising one.