Tor Privacy Busted: How Firefox IndexedDB Leaked Your Anonymous Identities

What's up, fellow code monkeys? Just when you thought you could browse the dark web in peace or stash some cryptocurrency without the feds snooping, Tor gets slapped with a massive privacy reality check. A recent post exploded on Hacker News (hitting a massive 829 score), revealing that Tor's holy grail of anonymity has a gigantic leak. Grab your coffee, let's dissect this dumpster fire.

How the Cookie... I mean, IndexedDB Crumbles

The drama started when Fingerprint.com—a company that literally sells browser fingerprinting solutions—dropped a tactical nuke on the privacy community. They discovered a stable identifier vulnerability utilizing the IndexedDB API in Firefox.

Here is the kicker: Tor Browser is essentially Firefox wearing a trench coat. When you click "New Identity" or request a new Tor circuit, you expect to be reborn as a completely new, untraceable user. But nope! Because Firefox failed to properly isolate and clear the IndexedDB state across different private sessions, this stable ID persists.

It links all your pristine, supposedly isolated anonymous identities into one neat little profile. It's like putting on an invisibility cloak but forgetting to take off your GPS-enabled smart shoes.

Hacker News Goes Full Panic Mode

The HN comment section turned into an absolute warzone:

• The Blamers: Pointing fingers directly at Mozilla. Devs are furious that modern browsers keep cramming bloated Web APIs (like IndexedDB, WebGL) into the core. More features mean a massive attack surface, effectively killing true privacy.
• The Purists: The grey-beard sysadmins chimed in with a collective "I told you so." Their logic? If you browse Tor with JavaScript enabled, you're asking to be tracked. Disabling JS via NoScript prevents this exploit, but it also breaks 99% of the modern web. Choose your poison.
• The Skeptics: Laughing at the sheer irony of a fingerprinting company reporting a fingerprinting bug. "Task failed successfully?" Still, most agreed that a disclosed bug is better than a zero-day sold to the highest bidder.

The Coding4Food Takeaway: State Isolation is Hard

There is no silver bullet for online privacy. Trusting a single tool to protect you is like trusting a PM who says "there will be no scope creep." Pure fiction.

For the dev folks in the room: If you're messing with client-side storage (LocalStorage, IndexedDB), pay damn good attention to isolation and lifecycle management. State leaking isn't just a backend database problem; it happens right in the browser. Leaking a user's state across sessions is a massive YIKES.

If you were doing anything highly sensitive on Tor recently... well, good luck out there. If you just need to scrape data anonymously without the Tor drama, maybe just invest in a proper Proxy to unlock limitless web data collection instead.

---

Source: Fingerprint.com Blog