Skip to content
Naked Security Naked Security

Hole in Tor causes TorMoil, update now

A bug could let crooks trick you into revealing your IP number

Do you use Tor?

If you do, then you probably expect it to provide a basic level of online anonymity – notably, that it stops your own IP number showing up when you browse.

To explain.

Your IP number uniquely identifies your computer (or at least your network) so that it can send packets to the internet, and get replies back.

Every packet coming from your network – whether it’s a login attempt, an email you’re sending, or a website you’re browsing to – includes your IP number, to act as a sort of “return home” beacon.

Without this so-called source address, the other end of any internet conversation wouldn’t know what to do with its replies – you’d be able to speak to anyone, but to hear no one.

At home, your IP number is typically allocated by your internet provider when your router powers up.

Even though you may get a different IP number every time you reboot your network, your ISP keeps a record of which household was allocated which IP number for what periods of time.

In other words, you can be identified fairly reliably via your IP number.

Even though it might take a court warrant in your country to get at the necessary records, those records almost certainly exist.

On a less dramatic footing, your IP number is typically static for days or weeks at a time, so that web servers can use it not only to figure out which town and country you’re in, but also to “join the dots” of your recent browsing habits.

Enter Tor

Tor, short for The Onion Router, is a bundle of network software together with a modified version of the Firefox browser, that sets out to change all that.

Greatly simplified, Tor consists of about 7000 computers around the world [2017-11-06T12:00Z], run by volunteers, that shuffle around users’ traffic to disguise its source.

Every time you start up Tor, your computer picks three of the 7000 computers – known as nodes – randomly, and bounces your browsing traffic through them on the way out and back.

Strictly speaking, not all of Tor’s 7000 nodes are made equal. Only about 2000 of them are considered reliable enough to act as the first node, or entry guard, into the Tor system; and only about 1000 are suitable to act as the last hop, or exit node, in a Tor connection, known colloquially as a circuit. Thanks to the way Tor encrypts the traffic passing through it, only the entry guard knows who you are (but not who you are talking to), and only the exit node in each circuit knows where the traffic is going (but not who sent it). The node in the middle stops the entry and exit nodes from colluding to deanonymise your traffic, making it very difficult to trace Tor packets even though you can never be sure which nodes are truly playing the anonymity game. Some nodes are run by crooks; others are operated by law enforcement and intelligence services. Because they can.

So, your Tor browsing traffic appears to originate from somewhere in the Tor network, meaning that you can’t easily be traced, and that your town and country will not only be disguised but will also appear to bounce around the world every time you start Tor.

Indeed, if you’re using Tor, it’s quite fun to browse to Google or Bing and see where the search engines thinks you’re located, and what they think you’ll be interested in.

The Tormoil bug

One problem with Tor is that it can give you a false sense of security.

After all, if you’re browsing via Tor but end up logging into an account that already knows who you are and where you live, then your anonymity is over.

Also, the anonymity of Tor depends on the browser you’re using communicating only via the Tor network and never directly over the internet.

That’s why the browser built into the Tor package is pre-configured so that it won’t accidentally browse via your regular network connection, thus preventing some of your browsing traffic sneaking out along a directly traceable path.

At the end of October, however, an italian security researcher called Filippo Cavallarin found a way to trick Firefox on Linux and macOS into browsing directly, even after you’ve told it not to.

In other words, a crook could feed you a web link that would force your browser to send traceable network packets just when you didn’t expect it.

Because this bug affects Tor’s flavour of Firefox as well as the regular versions, it’s just the kind of thing that crooks or inquisitive government officials would love to exploit in order to be able to trace you directly while you’re busy trying to give them the slip.

Cavallarin couldn’t resist turning this into a BWAIN (a Bug With An Impressive Name), as we jokingly call them, dubbing it TorMoil to reflect the anxiety it might cause to some users in the Tor community.

What to do?

Fortunately, there’s an easy fix: update Tor.

The TorMoil bug has been suppressed in Tor 7.0.9, so once you’ve updated, your IP number is back to being shielded by Tor as it should be.

According to the Tor Project, no one yet seems to have exploited this vulnerability in the wild…

…so if you’re a Tor user, you might as well get one step ahead.

(To make sure you have the latest version, go to the menu item About Tor Browser and you should see Checking for updates... followed by an [Update] button if you are out of date. Note, however, that the TorMoil bug doesn’t apply on Windows, so Windows users will stay at version 7.0.8 while Mac and Linux users advance to 7.0.9.)


Note: Tor Browser 7.0.9 is a security bugfix release for macOS and Linux users only. Users on Windows are not affected and stay on Tor Browser 7.0.8.


Good point. I ought to have made that clear in the article so that Windows users don’t panic when they see they are “stuck” on 7.0.8.

In fact, I’ll go back and add that information into the article right now – thanks.


Sounds like one of the avenues the FBI has been using to identify specific people on the ToR network. Apparently they have several, at least that is what they said repeatedly without giving up real details at a presentation I attended very recently. If the FBI can do it, anybody can if they want to. (and have the resources).


Interesting article but I couldn’t help but be driven half insane by the repeated use of ‘IP number’ VS. IP address


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!