{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreie6ry4wy2ip4l5znqzg6lspsgjyhi2vvi5y74cft6zvc35v47zc2q",
"uri": "at://did:plc:awj2q63kg2v3k5xwsjh2uoe3/app.bsky.feed.post/3mkax363ndnr2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreicbsdanl2dorhvgsem3mxpoyxrinqicgkfeitfezq3a42xmwnfnvi"
},
"mimeType": "image/jpeg",
"size": 98170
},
"description": "The fingerprinting company fingerprint.com discovered a vulnerability affecting “all Firefox-based browsers” that would allow a “stable process-lifetime identifier” during a browsing session, including after pressing the “New Identity“ button in Tor browser.",
"path": "/news/2026/04/24/fingerprint-com-discovers-vulnerability-that-can-link-your-tor-browsing-together/",
"publishedAt": "2026-04-24T16:28:40.000Z",
"site": "https://www.privacyguides.org",
"tags": [
"Fingerprint",
"Firefox 150",
"ESR 140.10.0",
"IndexDB API",
"vulnerabilities"
],
"textContent": "The fingerprinting company Fingerprint discovered a vulnerability affecting “all Firefox-based browsers” that would allow a “stable process-lifetime identifier” during a browsing session, including after pressing the “New Identity“ button in Tor browser.\n\nThe vulnerability also persists after closing all Firefox Private Browsing mode windows.\n\nFingerprint.com says they responsibly disclosed the vulnerability to Mozilla and it was quickly addressed in Firefox 150 and ESR 140.10.0.\n\nTor browser is based on Firefox so it inherits the bug.\n\nThe vulnerability is related to the IndexDB API, a feature that allows storage of large, structured data.\n\nWhen creating a database, a website can see the same ordering of items, even across websites or when closing all private browsing windows. The ordering only changes once the browser is shut down and restarted.\n\nThis poses a problem as cross-site linkability is one of the main goals of privacy features in Firefox and especially Tor browser.\n\nIt’s a bit unique in that it doesn’t require storing any specific data like cookies or localStorage, it just relies on the behavior of the browser when storing data.\n\nSmall implementation details like this can have massive privacy costs.\n\nThe suggested fix is rather simple: impose a canonical ordering for IndexDB items, such as lexographic sorting. Randomizing the output is also a possibility, but having consistent sorting is much simpler and easier for developers.\n\nPlus, Fingerprint themselves have previously defeated attempts at randomization. Randomization should always take a backseat to making data look the same across browsers, and only be used in cases where that’s not possible or desirable.\n\nBe sure to update your browsers as soon as you can in order to get the fix.\n\nWith AI finding new vulnerabilities in Firefox at an unprecedented rate, you have to wonder how many subtle privacy flaws also exist in the browser just waiting to be found.\n\nWill AI also be used by tracking companies to find these subtle implementation details that can expose Tor browser users?\n\nMy gut tells me no since these issues are so unique to browsers specifically, whereas memory safety vulnerabilities and the like are more universal across different projects.\n\nMozilla is optimistic about AI being used for finding vulnerabilities:\n\n> This can feel terrifying in the immediate term, but it’s ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap.\n\nIt remains to be seen if the same applies to the privacy properties of browsers.",
"title": "Fingerprint.com Discovers Vulnerability That Can Link Your Tor Browsing Together",
"updatedAt": "2026-04-24T16:28:40.313Z"
}