We Found a Stable Firefox Identifier Linking All Your Private Tor Identities

Resident Pulser@infosec.pub · 7 days ago

We Found a Stable Firefox Identifier Linking All Your Private Tor Identities

Deebster@infosec.pub · 7 days ago

Great find, great write-up. Such a simple bug (and fix).

Optional@lemmy.world · 7 days ago

We responsibly disclosed the issue to Mozilla and to the Tor Project. Mozilla has quickly released the fix in Firefox 150 and ESR 140.10.0, and the patch is tracked in Mozilla Bug 2024220. The underlying root cause is inherited by Tor Browser through Gecko’s IndexedDB implementation, so the issue is relevant to both products and to all Firefox-based browsers.

The fix is straightforward in principle: the browser should not expose internal storage ordering that reflects process-scoped state. Canonicalizing or sorting results before returning them removes the entropy and prevents this API from acting as a stable identifier.

Zwiebel@feddit.org · 7 days ago

I wonder if this fix annoys some government agencies around the world

Kairos@lemmy.today · 7 days ago

Good catch. Very likely not to be exploited in the wild at least until now.

Deebster@infosec.pub · 7 days ago

I wouldn’t be so sure - I can see someone accidentally stumbling over it doing something benign like TDD.