- Researchers uncovered a bug in Firefox and Tor Browser that allowed websites to generate hidden, stable identifiers without cookies.
- The problem stemmed from IndexedDB behavior, which enables persistent fingerprinting even in private browsing or Tor’s “New Identity” mode.
- Mozilla and Tor quickly fixed the vulnerability with fixes included in Firefox 150 and Tor Browser 15.0.10.
Browsers such as Mozilla Firefox and Tor Browser contained a vulnerability where websites could create a hidden ID from browser sessions without using cookies or other obvious tracking methods.
The vulnerability was discovered by security researchers Dai Nguyen and Martin Bajanik of Fingerprint. In an in-depth report published earlier this week, the duo said the issue allowed websites to derive a “unique, deterministic, and stable process-lifetime identifier” from the sequence of records returned by IndexedDB, even when users expect “stronger isolation.”
IndexedDB is a built-in browser database that lets websites store large amounts of structured data (like files or app data) directly on the device. It allows web apps to work faster and even offline without constantly talking to a server. However, when a website asked the browser for a list of stored items, the order of the list was not random. Instead, it reflected internal browser behavior that could be turned into a unique fingerprint.
The article continues below
Private browsing
While this sounds bad for more privacy-minded users, it gets even worse as the vulnerability persisted even when you used private browsing mode.
“In Firefox private browsing mode, the identifier can persist even after all private windows are closed, as long as the Firefox process remains running,” the researchers explained. “In Tor Browser, the stable identifier itself exists through the “New Identity” feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuitry.”
Fingerprint responsibly disclosed the problem to both Mozilla and the Tor project, and patches were quickly released. Mozilla addressed it in Firefox 150 and ESR 140.10.0, while tracking the patch in Mozilla Bug 2024220. Tor indirectly fixed it by pulling Mozilla’s fix. According to available reports, Tor Browser version 15.0.10 contains the same security update that fixed the problem in Mozilla Firefox.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
