FIREFOX TOR BUG EXPOSES STABLE IDENTIFIER ACROSS PRIVATE IDENTITIES
INDUSTRY DESK■ 2 MIN READ
WED, APR 22, 2026■ AI-SUMMARIZED FROM 1 SOURCE BELOW
Researchers at Fingerprint discovered a Firefox vulnerability that creates a persistent identifier linking separate Tor browser identities, undermining the privacy protections users expect from Tor.
Security researchers identified a critical privacy flaw in Firefox that allows tracking across supposedly anonymous Tor identities through IndexedDB, a local storage mechanism.
The vulnerability stems from how Firefox handles IndexedDB in private browsing mode within Tor Browser. Rather than isolating storage between sessions, Firefox generates a stable identifier that persists across different Tor identities. This means a website could link browsing activity across multiple supposedly separate anonymous sessions.
How It Works
IndexedDB is a browser API for storing structured data locally. Tor Browser typically partitions storage by identity, but the researchers found Firefox assigns a stable identifier to the IndexedDB partition itself. When users switch Tor identities, this identifier remains constant, creating a tracking vector that circumvents Tor's isolation mechanisms.
The flaw affects Firefox-based browsers using Tor, including Tor Browser itself. Websites exploiting this could fingerprint users across different Tor identities by reading the stable IndexedDB identifier, defeating the purpose of using Tor to maintain separate anonymous sessions.
Impact and Response
The discovery challenges a core Tor use case: maintaining multiple independent anonymous identities. Users switching Tor identities specifically to avoid linking their activities now face unexpected correlation.
Fingerprint disclosed the vulnerability responsibly, and Mozilla has been notified. The researchers recommend Firefox users avoid storing data in IndexedDB while using Tor until patches are released. Tor Browser maintainers may need to implement additional mitigations at the browser level if Mozilla's fixes prove insufficient.
Context
This vulnerability joins a growing list of privacy issues found in popular browsers, highlighting how storage APIs can leak identifier information despite privacy-focused design. The findings underscore tensions between browser functionality and privacy guarantees, especially in privacy-centric applications like Tor Browser.
■ SOURCES
► Hacker News■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE
■ MORE FROM THE SECURITY DESK
Artificial intelligence tools have enabled a surge in synthetic child sexual abuse material, forcing investigators to spend critical resources sorting fake images from real cases of endangered children.
1H AGO— AI Desk
France's government agency responsible for issuing national IDs, passports, and related documents confirmed a data breach exposing citizens' personal information. The agency has not disclosed the number of affected individuals.
1H AGO— Security Desk
A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in D-Link DIR-823X routers. The end-of-life devices are being conscripted into the botnet at scale.
2H AGO— AI Desk
Apple released iOS 26.4.2 to fix a security flaw that allowed law enforcement agencies, including the FBI, to access deleted push notifications on iPhones and iPads. The vulnerability bypassed Apple's 2023 policy requiring court orders for notification data access.
2H AGO— Security Desk