FIREFOX TOR BUG EXPOSES STABLE IDENTIFIER ACROSS PRIVATE IDENTITIES

Security researchers identified a critical privacy flaw in Firefox that allows tracking across supposedly anonymous Tor identities through IndexedDB, a local storage mechanism. The vulnerability stems from how Firefox handles IndexedDB in private browsing mode within Tor Browser. Rather than isolating storage between sessions, Firefox generates a stable identifier that persists across different Tor identities. This means a website could link browsing activity across multiple supposedly separate anonymous sessions. How It Works IndexedDB is a browser API for storing structured data locally. Tor Browser typically partitions storage by identity, but the researchers found Firefox assigns a stable identifier to the IndexedDB partition itself. When users switch Tor identities, this identifier remains constant, creating a tracking vector that circumvents Tor's isolation mechanisms. The flaw affects Firefox-based browsers using Tor, including Tor Browser itself. Websites exploiting this could fingerprint users across different Tor identities by reading the stable IndexedDB identifier, defeating the purpose of using Tor to maintain separate anonymous sessions. Impact and Response The discovery challenges a core Tor use case: maintaining multiple independent anonymous identities. Users switching Tor identities specifically to avoid linking their activities now face unexpected correlation. Fingerprint disclosed the vulnerability responsibly, and Mozilla has been notified. The researchers recommend Firefox users avoid storing data in IndexedDB while using Tor until patches are released. Tor Browser maintainers may need to implement additional mitigations at the browser level if Mozilla's fixes prove insufficient. Context This vulnerability joins a growing list of privacy issues found in popular browsers, highlighting how storage APIs can leak identifier information despite privacy-focused design. The findings underscore tensions between browser functionality and privacy guarantees, especially in privacy-centric applications like Tor Browser.