Researchers at Fingerprint discovered a Firefox vulnerability that creates a persistent identifier linking separate Tor browser identities, undermining the privacy protections users expect from Tor.
Security researchers identified a critical privacy flaw in Firefox that allows tracking across supposedly anonymous Tor identities through IndexedDB, a local storage mechanism.
The vulnerability stems from how Firefox handles IndexedDB in private browsing mode within Tor Browser. Rather than isolating storage between sessions, Firefox generates a stable identifier that persists across different Tor identities. This means a website could link browsing activity across multiple supposedly separate anonymous sessions.
How It Works
IndexedDB is a browser API for storing structured data locally. Tor Browser typically partitions storage by identity, but the researchers found Firefox assigns a stable identifier to the IndexedDB partition itself. When users switch Tor identities, this identifier remains constant, creating a tracking vector that circumvents Tor's isolation mechanisms.
The flaw affects Firefox-based browsers using Tor, including Tor Browser itself. Websites exploiting this could fingerprint users across different Tor identities by reading the stable IndexedDB identifier, defeating the purpose of using Tor to maintain separate anonymous sessions.
Impact and Response
The discovery challenges a core Tor use case: maintaining multiple independent anonymous identities. Users switching Tor identities specifically to avoid linking their activities now face unexpected correlation.
Fingerprint disclosed the vulnerability responsibly, and Mozilla has been notified. The researchers recommend Firefox users avoid storing data in IndexedDB while using Tor until patches are released. Tor Browser maintainers may need to implement additional mitigations at the browser level if Mozilla's fixes prove insufficient.
Context
This vulnerability joins a growing list of privacy issues found in popular browsers, highlighting how storage APIs can leak identifier information despite privacy-focused design. The findings underscore tensions between browser functionality and privacy guarantees, especially in privacy-centric applications like Tor Browser.
A Cambridge study reveals that terrorist organizations including Boko Haram and ISIS are using ChatGPT, Claude, and Gemini to plan attacks and develop weapons. Safety filters designed to prevent such misuse have repeatedly failed.
The Australian Cyber Security Centre has issued an alert about coordinated exploitation of vulnerable content management systems and plugins worldwide. The campaign targets organizations using outdated or unpatched CMS software.
Artificial intelligence discovered a critical security vulnerability in Linux kernel code that human developers overlooked for over a decade. The bug could allow unauthorized root access to systems.
Researchers have demonstrated a new attack called 'Ghostcommit' that hides prompt injections in PNG files to fool AI code reviewers and agents into exposing repository secrets.