- Researchers discovered a flaw in Firefox and Tor Browser that allowed websites to generate stable, hidden identifiers without cookies.
- The issue arose from the behavior of IndexedDB, which allows persistent fingerprinting even in private browsing or Tor’s “New Identity” mode.
- Mozilla and Tor quickly patched the vulnerability, with fixes included in Firefox 150 and Tor Browser 15.0.10.
Browsers such as Mozilla Firefox and Tor Browser contained a vulnerability where websites could create a hidden ID of browser sessions without using cookies or obvious tracking methods.
The vulnerability was discovered by security researchers Dai Nguyen and Martin Bajanik of Fingerprint. In an in-depth report published earlier this week, the duo said the issue allowed websites to derive a “unique, deterministic, and stable identifier of process duration” from the order of entries returned by IndexedDB, even when users expect “stronger isolation.”
IndexedDB is an in-browser database that allows websites to store large amounts of structured data (such as files or application data) directly on the device. It allows web applications to run faster and even offline without constantly talking to a server. However, when a site asked the browser for a list of stored items, the order of that list was not random. Instead, it reflected the browser’s internal behavior, which could become a unique fingerprint.
Article continues below.
Private browsing
While this sounds bad for more privacy-oriented users, it gets even worse as the vulnerability persisted even when using private browsing mode.
“In Firefox’s private browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process is still running,” the researchers explained. “In Tor Browser, the stable identifier persists even through the “New Identity” feature, which is designed to be a hard reset that clears cookies and browser history and uses new Tor circuits.”
Fingerprint responsibly disclosed the issue to both Mozilla and the Tor Project, and patches were quickly released. Mozilla fixed it in Firefox 150 and ESR 140.10.0, while tracking the patch in Mozilla Bug 2024220. Tor fixed it indirectly, by applying Mozilla’s fix. According to available reports, version 15.0.10 of the Tor browser includes the same security update that resolved the issue in Mozilla Firefox.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
