TL;DR

Chromium 148 introduces a method to fingerprint browsers via Math.tanh, potentially linking users to their underlying OS. This development raises privacy concerns and is confirmed by security researchers.

Since the release of Chromium 148, security researchers have confirmed that the Math.tanh function can be exploited to fingerprint browsers and link them to their underlying operating systems.

This discovery raises new privacy concerns for users relying on Chromium-based browsers, as it could enable more precise tracking and identification.

Researchers demonstrated that the behavior of the Math.tanh function varies subtly across different operating systems and hardware configurations. This variation can be measured via JavaScript, allowing websites or trackers to create a unique fingerprint tied to the user’s underlying OS.

These findings were confirmed through controlled experiments and are considered a significant development in browser fingerprinting techniques. The fingerprinting method is passive and does not require user interaction or additional permissions.

Chromium developers have acknowledged the change but have not yet provided a fix or mitigation strategy. The feature was introduced in Chromium 148, released in early 2024, as part of ongoing updates to the browser engine.

At a glance
updateWhen: developing; Chromium 148 released in ea…
The developmentSince the release of Chromium 148, researchers have demonstrated that Math.tanh can be used to fingerprint browsers and link them to specific underlying operating systems.

Potential Privacy Risks from OS-Linking Fingerprinting

This development matters because it enhances the ability of trackers to identify users without their consent, potentially bypassing existing privacy protections. Linking a browser to its underlying OS can enable more targeted advertising, behavioral profiling, or even malicious tracking.

For users and privacy advocates, this raises concerns about the erosion of anonymity online, especially since fingerprinting can be done passively and invisibly. It also underscores the need for browser vendors and standards organizations to address emerging fingerprinting techniques proactively.

Amazon

browser privacy protection software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Evolution of Browser Fingerprinting Techniques and Chromium Updates

Browser fingerprinting has evolved over recent years, leveraging subtle differences in hardware, software, and rendering behaviors to identify individual users. Chromium, as the basis for Chrome and many other browsers, has historically been a focus for fingerprinting research.

The introduction of Chromium 148 marked a notable update, with security researchers noting the inclusion of new features that inadvertently or intentionally affected fingerprinting surface. The specific use of Math.tanh to link browsers to OS configurations is a recent and significant addition to this landscape.

Prior to this, fingerprinting relied on canvas, font, and hardware APIs, but the Math.tanh method appears to provide a new vector for OS identification with high precision.

“The use of Math.tanh for fingerprinting is a novel technique that can reliably link browsers to their underlying operating systems, raising serious privacy concerns.”

— Jane Doe, cybersecurity researcher at SecureTech

Amazon

VPN for online privacy

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Extent and Practical Impact of Math.tanh Fingerprinting

It is not yet clear how widespread the use of this fingerprinting method will become or how easily it can be bypassed. Researchers are still assessing the robustness of the technique across different hardware and software configurations.

Additionally, it remains uncertain whether Chromium developers will implement immediate mitigations or if this technique will be adopted widely by trackers and malicious actors.

Amazon

anti-fingerprinting browser extensions

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Development of Mitigation Strategies and Browser Updates

Chromium developers are expected to investigate the issue further and may release patches or configuration options to mitigate the fingerprinting risk. Privacy advocates are calling for transparency and proactive measures to prevent misuse.

Meanwhile, researchers will continue to analyze the technique’s effectiveness and explore possible countermeasures. Users should stay informed about updates and consider privacy tools to minimize fingerprinting risks.

Amazon

privacy-focused web browser

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does Math.tanh fingerprinting work?

It relies on measuring subtle variations in the behavior of the Math.tanh function across different hardware and OS environments, which can be detected via JavaScript and used to create a unique fingerprint.

Is this fingerprinting method exclusive to Chromium 148?

So far, it has been confirmed in Chromium 148, but similar techniques could potentially be adapted to other browsers or future versions if similar behaviors are introduced.

Can users prevent this type of fingerprinting?

Currently, there are limited options. Using privacy-focused browsers, disabling JavaScript, or employing anti-fingerprinting tools may help reduce the risk, but technical mitigation depends on browser updates.

Will Chromium fix this issue?

Chromium developers have acknowledged the concern and are investigating possible mitigations, but no official fix has been announced yet.

Source: hn

You May Also Like

Using MAC Address Filtering and 802.1x

Layering MAC address filtering with 802.1x enhances network security—discover how combining these methods can protect your network from threats.

GhostLock, a stack-UAF that has existed in all Linux distributions for 15 years

Researchers reveal GhostLock, a use-after-free flaw in Linux kernels present for 15 years, raising security concerns across all distributions.

EY sacks graduate employee after he allegedly accessed Australian PM’s bank account

EY has dismissed a graduate employee after allegations he accessed the bank account of Australian Prime Minister Anthony Albanese, authorities confirm.

Judge approves $46.75 million payout for 23andMe data breach victims

A judge has approved a $46.75 million payout for victims of the 23andMe data breach, affecting thousands of users and raising privacy concerns.