April 22, 2026

Private mode, public meltdown

Article URL →HN comments →

We found a stable Firefox identifier linking all your private Tor identities

Firefox’s “private” mode caught peeking; Tor fans demand answers

TLDR: A Firefox quirk let sites recognize you across tabs — even in Tor’s “New Identity” — but Mozilla shipped a fix in Firefox 150. Comments exploded over Tor’s response time, whether blocking JavaScript sidesteps it, and the ethics of disclosure by a fingerprinting firm.

Privacy nerds are in full meltdown after researchers said Firefox-based browsers leaked a sneaky, session-long “fingerprint” using a quirky ordering of local data (think: the browser’s filing cabinet giving you an ID by the way it stacks folders). It could even link activity in Tor Browser after hitting “New Identity.” Mozilla moved fast with a fix in Firefox 150 and an Extended Support release, and the bug is tracked in Bug 2024220. But the crowd wants to know: what about Tor’s patch, and when?

Cue the comment section chaos. One camp is side-eyeing Tor: “Is there a lag?” Another is applauding the researchers for not ending with a sales pitch — yet suspiciously asking why a fingerprinting company would disclose a trick that competitors could use. Ethics debate unlocked. Meanwhile, pragmatists note the identifier dies after a full browser restart, so it’s less apocalyptic than it sounds — unless you never close your browser. Hardcore security folks chimed in with the classic: just block JavaScript and you dodge this entirely (cue the collective groan from people who still want the modern web to work). Someone pointed out Qubes/Whonix users are safe, sparking a mini wave of “monk mode” jokes.

Meme recap: “Private Mode? More like Peekaboo Mode,” and “New Identity, same vibes” made the rounds. The vibe? Entertained, skeptical, and impatiently refreshing for a Tor Browser update.

Key Points

  • Websites could derive a unique, deterministic, process-lifetime identifier from IndexedDB result ordering in Firefox-based browsers.
  • The identifier enabled cross-origin linkability and persisted in Firefox Private Browsing while the process remained running.
  • In Tor Browser, the identifier persisted through the “New Identity” feature, undermining unlinkability guarantees.
  • Researchers disclosed the issue to Mozilla and the Tor Project; Mozilla fixed it in Firefox 150 and ESR 140.10.0 (Mozilla Bug 2024220).
  • The fix canonicalizes/sorts results to avoid leaking process-scoped state, illustrating how seemingly harmless APIs can become tracking vectors.

Hottest takes

“did that section leave out when the Tor Project planned to respond or release a fixed Tor Browser?” — crazysim
“why would this company report this vulnerability… Isn’t it better for the business (albeit unethical) to keep [it] private?” — lpapez
“doesn’t persist past browser restart… reduce the usefulness” — bawolff

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.