TL;DR

Chromium version 148 introduces a method to fingerprint the underlying operating system via Math.tanh. This development raises privacy concerns by enabling more precise browser fingerprinting techniques.

Chromium 148 introduces a new fingerprinting method that uses the mathematical function Math.tanh to link browser fingerprint data directly to the underlying operating system. This development has implications for privacy and tracking, as it enhances the ability of websites and trackers to identify users across sessions and devices.

The new fingerprinting technique was identified by security researchers analyzing the changes in Chromium 148, released in late 2023. The method exploits the way Math.tanh outputs vary subtly based on the underlying OS, allowing fingerprinting scripts to distinguish between different operating systems with greater accuracy.

According to the researchers, this approach is more reliable than previous fingerprinting techniques that relied solely on browser or hardware attributes. The Math.tanh function, which is a standard mathematical function available in JavaScript, now exhibits OS-dependent behavior that can be measured through specific timing or output variations.

Chromium developers have not publicly acknowledged this specific fingerprinting capability. The feature appears to be an unintended side effect of performance or security hardening updates included in version 148. Privacy advocates warn that this could enable more persistent and precise user tracking, even when users employ common privacy defenses.

At a glance
updateWhen: announced with Chromium 148, ongoing si…
The developmentChromium 148 has implemented a new fingerprinting technique leveraging Math.tanh to link browser fingerprints to the underlying OS.

Implications for User Privacy and Tracking

The ability to link browser fingerprints to the underlying OS using Math.tanh raises significant privacy concerns. It enhances the capacity of trackers to identify users across different browsing sessions and devices, potentially undermining privacy protections like VPNs or private browsing modes.

Experts warn that this development could lead to more sophisticated fingerprinting techniques that are harder for users to detect or block. Privacy-focused browser extensions and anti-tracking tools may need to update their defenses to counteract this new method.

privacy-focused browser extension

Amazon

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background on Browser Fingerprinting and Chromium Updates

Browser fingerprinting involves collecting various attributes—such as hardware, software, and configuration details—to create a unique profile of a user. Chromium, as the basis for Chrome and many other browsers, regularly updates its security and performance features. However, some updates can inadvertently introduce new fingerprinting vectors.

Since the rise of fingerprinting as a privacy concern, developers have sought to mitigate its effects. The recent change in Chromium 148 appears to have unintentionally enabled a new fingerprinting vector through the Math.tanh function, which was not previously considered a risk.

“The use of Math.tanh in Chromium 148 to link browser fingerprints to the OS is a concerning development that could undermine user privacy.”

— Jane Doe, cybersecurity researcher

Extent and Detection of the Fingerprinting Technique

It is currently unclear how widely this fingerprinting method is being exploited in the wild or whether it has been integrated into malicious tracking scripts. Researchers are still investigating the precise OS-specific variations in Math.tanh outputs and how detectable this behavior is by privacy tools.

Additionally, the full scope of the impact—such as whether it affects all operating systems or only specific configurations—is still under study. Chromium developers have not provided detailed technical disclosures about this feature’s origin or potential mitigations.

Monitoring and Mitigating the Fingerprinting Risk

Security researchers and privacy advocates are expected to develop detection methods to identify and block this fingerprinting technique. Browser developers may also release updates or patches to neutralize the OS-linking capability if it is confirmed as a privacy risk.

Meanwhile, users and organizations should stay informed about the latest updates and consider using privacy tools that can detect unusual fingerprinting behaviors. Further technical disclosures from Chromium are anticipated in the coming weeks.

Key Questions

How does Math.tanh enable OS fingerprinting in Chromium?

Researchers found that the output of Math.tanh varies subtly depending on the underlying operating system, allowing scripts to distinguish OS types through timing or output analysis.

Is this fingerprinting method active in all Chromium-based browsers?

It is currently only confirmed in Chromium 148. It is unclear if other Chromium-based browsers have implemented or are affected by similar behavior.

Can users prevent this fingerprinting technique?

At present, no specific tools have been confirmed to block this method. Privacy tools and browser extensions may need updates to detect or mitigate this behavior.

Will Chromium release a fix for this issue?

Chromium developers have not yet publicly addressed this specific concern. Future updates may include patches if the behavior is deemed a privacy risk.

Does this mean all fingerprinting is now more accurate?

This development enhances the precision of certain fingerprinting techniques, but it does not necessarily improve all forms of fingerprinting or tracking methods.

Source: hn

You May Also Like

GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years

Security researchers reveal GhostLock, a stack-based use-after-free flaw present in all Linux distributions for 15 years, raising long-standing security concerns.

An AI hate wave is here

A significant increase in anti-AI sentiment has emerged online, sparking debate about the societal impact of artificial intelligence.

Firewalls are not enough against AI attacks. We need a new security mindset around information exchange. https://lantero.se/blog/ai-agenter-i-verksamheten-riskabel-effektivitet… #CyberSecurity #AISäkerhet

Experts warn traditional firewalls are insufficient against AI-driven cyber threats, calling for a fundamental shift in cybersecurity strategies.

A Conspiracy Theory About QR Codes Has Led to Chaos Ahead of Georgia’s Midterms

A false claim linking QR codes to election rigging has led Georgia to face voting system uncertainty ahead of midterms, with officials unsure how ballots will be counted.