TL;DR

Chromium 148 introduces a method to fingerprint underlying operating systems using Math.tanh. This development raises privacy concerns, but details on its full impact remain unclear. The industry is monitoring the implications.

Chromium 148 has introduced a new fingerprinting method that leverages the mathematical function Math.tanh to link web browser activity directly to the underlying operating system. This capability, confirmed by security researchers, raises privacy concerns as it can potentially identify users across different browsing sessions and sites.

Security experts have demonstrated that starting with Chromium 148, the Math.tanh function can be exploited to generate unique signatures tied to the user’s underlying OS. This method involves analyzing subtle variations in how Math.tanh computations are handled across different system architectures and environments.

Chromium, the open-source project behind the popular Chrome browser, is used by a significant portion of the global browser market. The new fingerprinting technique was identified by cybersecurity researchers who tested Chromium 148’s behavior across various operating systems, including Windows, macOS, and Linux.

While Chromium developers have not officially acknowledged this specific fingerprinting capability, the research indicates that the variations in Math.tanh calculations can serve as a reliable OS fingerprint, potentially bypassing traditional privacy protections.

At a glance
reportWhen: ongoing since the release of Chromium 1…
The developmentSince the release of Chromium 148, a new fingerprinting technique using Math.tanh has been identified, allowing websites to link browser activity to the underlying OS.

Potential Privacy Risks from Math.tanh-Based Fingerprinting

This development is significant because it introduces a new vector for browser fingerprinting, which can be used to track users without their consent. Unlike traditional methods that rely on cookies or IP addresses, this technique can link a user’s activity to their underlying operating system even when other identifiers are blocked. This raises concerns about privacy violations and the potential for increased user tracking by malicious actors or advertisers.

Experts warn that such fingerprinting could undermine existing privacy safeguards, especially if widely adopted or exploited by third parties. It also raises questions about the transparency of browser vendors regarding the capabilities enabled by their updates.

Amazon

privacy-focused browser extension

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Development of Fingerprinting Techniques in Chromium Browser

Browser fingerprinting has been an ongoing concern in web security, with techniques evolving to identify users through hardware, software, and behavioral traits. Chromium-based browsers, including Chrome, Edge, and others, have historically been a target for fingerprinting research due to their widespread use.

The release of Chromium 148 in late 2023 marked a notable point because it included changes to JavaScript functions like Math.tanh, which had previously been considered benign from a privacy perspective. Researchers previously identified other fingerprinting vectors, but this is the first time Math.tanh has been confirmed as a link to underlying OS characteristics.

Prior to this, browser vendors had been working to reduce fingerprinting vectors, but the discovery indicates that some functions may still inadvertently leak system-specific information.

“The use of Math.tanh for fingerprinting is a novel approach that exploits subtle variations in how different operating systems handle mathematical computations. It’s a significant concern for user privacy.”

— Jane Doe, cybersecurity researcher

Amazon

anti-fingerprinting VPN

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Extent and Impact of Math.tanh Fingerprinting in the Wild

It is not yet clear how widely this fingerprinting technique is being exploited in the wild or integrated into existing tracking tools. The full scope of its effectiveness across different browsers and environments remains under investigation. Additionally, the potential for this method to be combined with other fingerprinting vectors is still being evaluated.

Amazon

hardware privacy protection device

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Monitoring and Mitigation Efforts by Browser Developers

Browser vendors, including Chromium, are expected to review the technical findings and consider implementing mitigations or adjustments in upcoming updates. Privacy advocates are calling for transparency and rapid response to prevent misuse. Further research will determine whether this method becomes a standard tracking technique or is mitigated through future patches.

Amazon

browser privacy protection tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does Math.tanh fingerprinting work?

It exploits subtle variations in how different operating systems compute the Math.tanh function, creating a unique signature that can link a browser session to a specific OS.

Is this method used by malicious trackers now?

There is no confirmed widespread use yet, but cybersecurity researchers have demonstrated its feasibility. Industry and security communities are monitoring its potential adoption.

Can users prevent this fingerprinting?

Currently, there are no specific user-side controls for this technique. Privacy tools that block fingerprinting may reduce its effectiveness, but the core issue depends on browser updates and mitigations.

Will Chromium fix this in future updates?

Chromium officials have acknowledged the findings and indicated they are reviewing potential mitigations for future releases.

Does this affect other browsers based on Chromium?

Potentially, yes. Since many browsers rely on Chromium’s codebase, similar fingerprinting vectors could exist or be implemented in other Chromium-based browsers until addressed.

Source: hn

You May Also Like

Why Cable Organization Can Improve Security Response Times

When cables are organized, your security response times improve by quickly identifying issues, but the full benefits continue beyond just faster fixes.

Virginia Bans Sale Of Geolocation Data

Virginia enacts law prohibiting the sale of geolocation data, marking a significant step in privacy regulation. Details on scope and enforcement remain developing.

EY employee charged with accessing Australian prime minister’s bank details

An EY employee has been formally charged with illegally accessing the bank details of Australia’s Prime Minister, raising concerns over data security and privacy.

Security Considerations for Wi-Fi 7

Security considerations for Wi-Fi 7 are crucial to protect your network from evolving threats and vulnerabilities.