Tor Browser 7.0.3 is released

Note: Tor Browser 7.0.3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.0.2.

Tor Browser 7.0.3 is now available for our Linux users from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.

The bug got reported to us yesterday by Julian Jackson (@atechdad) via our HackerOne bug bounty program. Thanks! We are not aware of it being exploited in the wild.

We are currently preparing updated Linux bundles for our alpha series and they should go live within the next couple of hours. Meanwhile Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem.

Here is the full changelog since 7.0.2:

  • Linux
    • Bug 23044: Don't allow GIO supported protocols by default

Probably a better way than this but I did this as a quick and dirty.
whereis gvfs
gvfs: /usr/lib64/gvfs /usr/share/gvfs /usr/share/man/man7/gvfs.7.gz

As you can see my system has gvfs and the man for it., I assume this means this is a good bug fix for me.
Thanks Tor guys/gals.


July 27, 2017


Thanks a lot Julian Jackson and your HackerOne bug bounty program !
updated : Priority changed from Medium to Immediate


July 28, 2017


Great thanks to Julian :-)

Where can I read more details about this? What kind of URLs could be used, how would it work, etc.

Is it just an issue if someone clicks on a link or is FF already fetching information without clicking on the link? (Because if FF tries to fetches information about the site without clicking, could it not effect Tor Messenger and Thunderbird/Torbirdy, too ?)

How the NsA would pay for this kind of exploit ?

how to check gvfs is available or not ?

Bad update!

Thanks Obama.

Wah, what a bug!
Thanks for the patch

Is it safe to update the browser addons (HTTPS Everywhere + NoScript) through the Tor Network or should we use what ships with the current version of TBB even if they are outdated?

Please update those extensions whenever an update is available.

How do I configure Wget to use with Tor Browser?

Menu icons have disappeared since tor browser 7.02 release.

What do you mean? Do you have steps for reproducing your problem? Which operating system are you using?

Would you define this as an example of why to use a quality VPN with TOR?

Might be a bit off topic but I believe this started with the release of TB 7.x versions.

The encryption part of signing up for a Tutanota account takes forever and then fails with an error message.

The same happens when trying to download from Decryption takes very long and after it finishes you receive an error about blob resources.

It seems the problem lies with the new spawning of Web Content processes and blob resources.

Is there a way to "fix" this?

On which level is the security slider? If not on "low" does the issue happen as well if it is on "low"?

Happens on all 3 settings. Although on "low" the en/decryption part is as fast as with TB 6.5.2 on "high" but alas you get an error message and are not able to download the blob.

Sorry forgot to mention that all is working fine on TB 6.5.2 with settings on "high".

Too bad you did not post my reply. I would really love to find a solution to this.

As I said, the problem persists on all levels of the security slider although on "low" the javascript calculating part is as fast as it should be but you still can't download the blob in the case of

All is working fine with TB 6.5.2 on "high" security settings.

Here the same problem is discussed with even Tutanota chiming in but they too have no solution. But since the problem lies with TB how could they.

Okay, I just tried with a vanilla Tor Browser 7.0.3 on Linux and this works as expected. I guess you are on Windows as the link to the Tutanota forum indicates?

Works for me with a fresh 7.0.2 on Windows 7 as well. Hm. What does "Multiprocess Windows" on "about:support" in your Tor Browser say?

Are previous TBB versions affected to this particular bug too? When this bug was added to TBB?

We believe that previous versions of Tor Browser are affected as well (definitely 6.5.2 which I tested). There is no particular version this bug got added as the offending code has been in Firefox for years.

my old 3.6.6 version also affected...

anyone please solve my problem.
when I use tor version 7.0.2 It can't download small file such as 15 or 16 kb .Is it the problem of tor .?what should I do??

What is happening? And how are you downloading small files?

See also:

GVfs is shit. Pure shit.

Does it effect hidden service .onion addresses as well?

This bug is unrelated to .onion services.

Doesn't this bug affect Tor Tails because of it special design not to allow direct internet connection or because Tor hasn't gvfs?

We have not looked closer but we think Tails is not affected because it does not allow direct Internet connections.

I am looking for a version that is compatible with mac OS x 10.7.5

There is none without serious security vulnerabilities, alas.