This Firefox vulnerability may have been tracking all your private Tor identities – even in Private Mode

News
By published

Researchers found a bug where websites could create a hidden ID

A graphical rendering of the Mozilla Firefox icon.
(Image credit: Rubaitul Azad / Unsplash)
  • Researchers uncovered a flaw in Firefox and Tor Browser that allowed websites to generate hidden, stable identifiers without cookies.
  • The issue stemmed from IndexedDB behavior, enabling persistent fingerprinting even in private browsing or Tor’s “New Identity” mode.
  • Mozilla and Tor quickly patched the vulnerability, with fixes included in Firefox 150 and Tor Browser 15.0.10.

Browsers like Mozilla Firefox and Tor Browser contained a vulnerability where websites could create a hidden ID from browser sessions without using cookies or otherwise obvious tracking methods.

The vulnerability was discovered by security researchers Dai Nguyen and Martin Bajanik of Fingerprint. In an in-depth report published earlier this week, the duo said the issue allowed websites to derive a “unique, deterministic, and stable process-lifetime identifier” from the order of entries returned by IndexedDB, even when users expect “stronger isolation”.

IndexedDB is a built-in browser database that lets websites store large amounts of structured data (like files or app data) directly on the device. It allows web apps to work faster and even offline without constantly talking to a server. However, when a site asked the browser for a list of stored items, the order of that list wasn’t random. Instead, it reflected internal browser behavior, which could be turned into a unique fingerprint.

Article continues below

Private Browsing

While this sounds bad for more privacy-oriented users, it gets even worse since the vulnerability persisted even when using the private browsing mode.

“In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running,” the researchers explained. “In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.”

Fingerprint responsibly disclosed the issue to both Mozilla and the Tor Project, and patches were quickly released. Mozilla addressed it in Firefox 150 and ESR 140.10.0, while tracking the patch in Mozilla Bug 2024220. Tor fixed it indirectly, by pulling Mozilla’s fix. According to available reports, Tor Browser version 15.0.10 includes the same security update that solved the issue in Mozilla Firefox.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.