Fingerprint.com Discovers Vulnerability That Can Link Your Tor Browsing Together

The fingerprinting company Fingerprint discovered a vulnerability affecting “all Firefox-based browsers” that would allow a “stable process-lifetime identifier” during a browsing session, including after pressing the “New Identity“ button in Tor browser.

The vulnerability also persists after closing all Firefox Private Browsing mode windows.

Fingerprint.com says they responsibly disclosed the vulnerability to Mozilla and it was quickly addressed in Firefox 150 and ESR 140.10.0.

Tor browser is based on Firefox so it inherits the bug.

The vulnerability is related to the IndexDB API, a feature that allows storage of large, structured data.

When creating a database, a website can see the same ordering of items, even across websites or when closing all private browsing windows. The ordering only changes once the browser is shut down and restarted.

This poses a problem as cross-site linkability is one of the main goals of privacy features in Firefox and especially Tor browser.

It’s a bit unique in that it doesn’t require storing any specific data like cookies or localStorage, it just relies on the behavior of the browser when storing data.

Small implementation details like this can have massive privacy costs.

The suggested fix is rather simple: impose a canonical ordering for IndexDB items, such as lexographic sorting. Randomizing the output is also a possibility, but having consistent sorting is much simpler and easier for developers.

Plus, Fingerprint themselves have previously defeated attempts at randomization. Randomization should always take a backseat to making data look the same across browsers, and only be used in cases where that’s not possible or desirable.

Be sure to update your browsers as soon as you can in order to get the fix.

With AI finding new vulnerabilities in Firefox at an unprecedented rate, you have to wonder how many subtle privacy flaws also exist in the browser just waiting to be found.

Will AI also be used by tracking companies to find these subtle implementation details that can expose Tor browser users?

My gut tells me no since these issues are so unique to browsers specifically, whereas memory safety vulnerabilities and the like are more universal across different projects.

Mozilla is optimistic about AI being used for finding vulnerabilities:

This can feel terrifying in the immediate term, but it’s ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap.

It remains to be seen if the same applies to the privacy properties of browsers.