Researchers at Fingerprint discovered a Firefox vulnerability that creates a persistent identifier linking separate Tor browser identities, undermining the privacy protections users expect from Tor.
Security researchers identified a critical privacy flaw in Firefox that allows tracking across supposedly anonymous Tor identities through IndexedDB, a local storage mechanism.
The vulnerability stems from how Firefox handles IndexedDB in private browsing mode within Tor Browser. Rather than isolating storage between sessions, Firefox generates a stable identifier that persists across different Tor identities. This means a website could link browsing activity across multiple supposedly separate anonymous sessions.
How It Works
IndexedDB is a browser API for storing structured data locally. Tor Browser typically partitions storage by identity, but the researchers found Firefox assigns a stable identifier to the IndexedDB partition itself. When users switch Tor identities, this identifier remains constant, creating a tracking vector that circumvents Tor's isolation mechanisms.
The flaw affects Firefox-based browsers using Tor, including Tor Browser itself. Websites exploiting this could fingerprint users across different Tor identities by reading the stable IndexedDB identifier, defeating the purpose of using Tor to maintain separate anonymous sessions.
Impact and Response
The discovery challenges a core Tor use case: maintaining multiple independent anonymous identities. Users switching Tor identities specifically to avoid linking their activities now face unexpected correlation.
Fingerprint disclosed the vulnerability responsibly, and Mozilla has been notified. The researchers recommend Firefox users avoid storing data in IndexedDB while using Tor until patches are released. Tor Browser maintainers may need to implement additional mitigations at the browser level if Mozilla's fixes prove insufficient.
Context
This vulnerability joins a growing list of privacy issues found in popular browsers, highlighting how storage APIs can leak identifier information despite privacy-focused design. The findings underscore tensions between browser functionality and privacy guarantees, especially in privacy-centric applications like Tor Browser.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.