The security company Fingerprint discovered how on Firefox browsers, websites could track users even if they used private browsing tabs or the anonymity focused TOR browser. Mozilla closed the vulnerability in Firefox 150, that was released on April 21st 2026.
This vulnerability is another example how a subtle lack of entropy in the software industry can undermine privacy and security.
The vulnerability is around how browsers retrieve non-sensitive stored metadata. The retrieval of database metadata is ordered in a specific way that can be unique to the user’s browser. This could allow the fingerprinting of systems, allowing tracking, that could persist even with full privacy protections are in place.
Essentially, the data retrieval process lacked sufficient entropy in how it presented metadata, creating consistently unique formats based on individual systems, allowing users to be matched and therefore tracked.
This is a big deal to people who wish to protect their privacy. Using TOR and private browsing are popular ways to keep others from tracking your online activities, but this flaw could partially undermine such measures.
Great job to Fingerprint in identifying and responsibly reporting the vulnerability so Mozilla could close the weakness.
I expect more such issues to be discovered across browsers as the next generation of AI models are released, like Anthropic’s Claude Mythos.
Comments