Tor users are being urged to update their browser after a flaw that allows hackers to de-anonymize users was discovered. The bug was discovered in Firefox, on which the Tor browser is based.
There is some speculation the bug was created by a law enforcement agency to catch people engaging in criminal online activity, such as child porn.
“The exploit in this case works in essentially the same way as the ‘network investigative technique’ used by FBI to deanonymize Tor users (as FBI described it in an affidavit),” says Mozilla security chief Daniel Veditz in a blog post. “This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency. As of now, we do not know whether this is the case. If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web.”
Upon updating your Tor browser, it is necessary to restart your browser for the changes to take effect.
Tor said it users who had set their security slider to ‘High’ are believed to be untouched by the vulnerability.
“We will have alpha and hardened Tor Browser updates out shortly,” a Tor blog post reads. “In the meantime, users of these series can mitigate the security flaw in at least two ways: Set the security slider to ‘High’ as this is preventing the exploit from working or switch to the stable series until updates for alpha and hardened are available, too.”