Privacy Vulnerability in Firefox and TOR Browsers

Private‑browsing tabs and the Tor network have long been the go‑to defenses for users seeking to conceal their online footprints. When Fingerprint discovered that Firefox and Tor were leaking a subtle pattern in how they queried IndexedDB metadata, it revealed a new attack surface: even without cookies or IP tracking, the deterministic order of non‑sensitive data could serve as a unique identifier. This kind of side‑channel fingerprinting bypasses traditional privacy layers, allowing trackers to stitch together sessions across ostensibly isolated browsing environments.

The technical root of the flaw lay in insufficient entropy during metadata retrieval. Browsers construct a list of stored database entries in a fixed sequence that varies by the user’s system configuration, effectively creating a digital fingerprint. By observing this order, malicious sites could correlate activity across private sessions and Tor circuits, compromising anonymity. Mozilla’s response—shipping Firefox 150 with a randomized metadata ordering algorithm—neutralized the vector and restored the expected privacy guarantees. The patch underscores the importance of rigorous entropy testing in browser development, especially for components that handle seemingly innocuous data.

Looking ahead, the incident serves as a cautionary tale for the broader software ecosystem. As AI‑driven code generators like Anthropic’s Claude Mythos become mainstream, the risk of inadvertently embedding low‑entropy patterns grows. Security teams must adopt proactive fuzzing and entropy audits to preempt similar vulnerabilities. Meanwhile, privacy‑conscious users should stay vigilant, applying updates promptly and considering layered defenses beyond browser settings to safeguard their digital identities.