Anyone using Tor to browse the web anonymously is being advised to update their browser immediately after a critical bug was discovered that allows an attacker to de-anonymize users. The vulnerability exists in Firefox, on which the Tor browser is based.
Mozilla said that the flaw is already being actively exploited on Windows, and that while there is as yet no indication of a similar exploit on macOS, the same vulnerability exists on all platforms.
The bug is fixed in the latest stable version of Firefox. For those on alpha and hardened versions, there are two ways you can protect yourself.
1) Set the security slider to “High” as this is preventing the exploit from working.
2) Switch to the stable series until updates for alpha and hardened are available, too.
If you’re using the stable version, you should update Firefox to 45.5.1esr and NoScript to 220.127.116.11.
ArsTechnica reports that the exploit allows both IP and MAC addresses to be captured by an attacker.
It’s been speculated that the exploit may have been created by the FBI, but is now in the wild. This risk is, of course, the reason Apple argued against the FBI’s demand that it create a special GovOS version of iOS.