The bug was first made public on a Tor mailing list at 21:55:23 UTC 2016 on Tuesday and was quickly confirmed by Tor co-founder Roger Dingledine. Dingledine announced shortly the vulnerability had been initially discovered that Mozilla security engineers were actively working on a fix.
As of 12:45 p.m. ET, Mozilla had released Firefox 50.0.01 to patch the bug, although a Tor browser update is still needed. Dingledine said in a message board post that after Mozilla released its patch, “then the step after that is a quick Tor Browser update.”.
The collected data included the user’s IP address and hostname.
Similarities to previous bugs
That exploit was implemented by the United States Federal Bureau of Investigation in attempts to track down Tor users using the browser to access child pornography.
It is not known who is behind the current exploit.
What to do
Although it appears that the exploit currently only targets Firefox on Windows, security Dan Guido, noted on Twitter that macOS users of Firefox are also vulnerable.