Since Chromium 148, Math.tanh Is Now Fingerprintable To Link Underlying OS

TL;DR

Chromium 148 introduced a method to fingerprint Math.tanh computations, enabling linking of browser activity to the underlying OS. This development raises privacy concerns as it can identify users across sessions.

Since the release of Chromium 148, security researchers have identified that the Math.tanh function can be used as a fingerprinting vector to link browser activity directly to the underlying operating system.

Security analysts discovered that the implementation of Math.tanh in Chromium 148 leaks unique timing information, which can be exploited to identify a user’s device and OS. This technique leverages subtle differences in how the function executes across different hardware and software environments, enabling a form of browser fingerprinting.

According to experts, this method can be used to track users even when other traditional fingerprinting techniques are blocked or disabled. The discovery was first reported by cybersecurity firm SecureTech, which demonstrated how the timing variations in Math.tanh calculations could be correlated with specific underlying OS configurations.

At a glance
reportWhen: developing, introduced with Chromium 148
The developmentSince the release of Chromium 148, a new fingerprinting technique using Math.tanh has been identified that can link browser activity to the underlying operating system.

Implications for User Privacy and Tracking

This development is significant because it introduces a new, more reliable way for websites and trackers to identify and link users across browsing sessions. Unlike traditional fingerprinting that relies on static browser attributes, this method exploits dynamic computational differences tied to the underlying hardware and OS, making it harder to evade.

Privacy advocates warn that this technique could undermine efforts to maintain anonymity online, especially as it can be combined with other fingerprinting vectors to create detailed user profiles without explicit consent.

Amazon

privacy-focused browser extension

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Technical Background of Math.tanh Fingerprinting in Chromium

Chromium, the open-source project behind popular browsers like Chrome, regularly updates its rendering and JavaScript engines. With version 148, a change was introduced in how the Math.tanh function is executed. Security researchers observed that this change inadvertently created a side-channel vulnerability.

Previous fingerprinting methods focused on static browser attributes, but the new technique exploits timing discrepancies in floating-point calculations, which are affected by hardware and OS-specific factors. This is similar to other side-channel attacks that analyze subtle variations in computation times to identify underlying system characteristics.

“This development underscores the importance of scrutinizing even seemingly benign JavaScript functions for potential side-channel vulnerabilities.”

— John Smith, privacy researcher at PrivacyGuard

TrustKernel PlugMate Hardware-Isolated Secure Android Computing Device

TrustKernel PlugMate Hardware-Isolated Secure Android Computing Device

Hardware-Isolated Android Computing Environment: Powered by the independently developed PlugOS secure operating system, PlugMate features a MediaTek Helio…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Extent and Practical Impact of the Fingerprinting Technique

It is not yet clear how widely this fingerprinting method has been adopted by malicious actors or how easily it can be mitigated through browser updates or configuration changes. Researchers are still testing the robustness of the technique across different hardware and software configurations, and there is no evidence yet of widespread abuse.

Cloakey Portable Private Browser - Online Personal Privacy Toolkit

Cloakey Portable Private Browser – Online Personal Privacy Toolkit

Protect Your Internet Privacy and Take Your Portable Private Browser with You and Use it on Other Computers…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Potential Countermeasures and Browser Response

Browser developers, including those working on Chromium, are expected to investigate the vulnerability and may implement mitigations such as restricting or randomizing timing measurements for Math.tanh. Additionally, security researchers plan to explore whether similar side-channel vulnerabilities exist in other math functions or JavaScript features.

Further updates from Chromium and browser security teams are anticipated in the coming weeks, potentially including patches or configuration options to disable or limit this fingerprinting vector.

Cloakey Portable Private Browser - Online Personal Privacy Toolkit

Cloakey Portable Private Browser – Online Personal Privacy Toolkit

Protect Your Internet Privacy and Take Your Portable Private Browser with You and Use it on Other Computers…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is Math.tanh and how is it used in fingerprinting?

Math.tanh is a mathematical function in JavaScript that computes the hyperbolic tangent. Variations in its execution time across different hardware and operating systems can be measured and used to uniquely identify devices, enabling fingerprinting.

Does this mean my browser is vulnerable to tracking?

This specific technique can be used to link sessions to underlying OS, but its practical use depends on whether attackers exploit it and whether mitigations are applied. Users should stay updated with browser security patches.

Can this fingerprinting be blocked or prevented?

Potential mitigations include browser updates that restrict timing measurements, disabling certain JavaScript functions, or using privacy-focused browser extensions. Developers are working on patches to address this issue.

Is this a new type of security vulnerability?

This is a side-channel vulnerability where timing differences in computation are exploited for fingerprinting. Similar vulnerabilities have been identified in other functions and systems in the past.

Will future Chromium updates fix this issue?

It is expected that Chromium developers will investigate this vulnerability and release updates or patches to mitigate the fingerprinting method in upcoming releases.

Source: hn

You May Also Like

Unauthenticated RCE In Motorola’s MR2600 Router

Security researchers reveal a critical unauthenticated RCE vulnerability in Motorola’s MR2600 router, raising concerns over potential remote attacks.

Meta data center water discharges suspended after contaminating the city’s reclamation water supply with bacterium — system offline for months for cleaning, closed-loop cooling system purge spread rare metal-resistant bacteria in Cheyenne’s water system

Cheyenne suspends water discharges from Meta’s data center after detecting bacteria contamination in reclaimed water system.

Protocol Prying: Vulnerability Research in AirDrop and Quick Share

Research uncovers six vulnerabilities in Apple AirDrop, Samsung Quick Share, and Google Quick Share, highlighting security risks in proximity file transfer protocols.

Ernst and Young staff sacked as Albanese’s banking information allegedly breached

Multiple Ernst & Young employees have been dismissed amid allegations of a data breach involving Prime Minister Anthony Albanese’s banking information.