logoalt Hacker News

Since Chromium 148, Math.tanh is now fingerprintable to link underlying OS

158 pointsby joahnn_stoday at 9:12 PM67 commentsview on HN

Comments

Aurornistoday at 9:30 PM

> One tanh call on the right input is a per-OS signature. Claim macOS, return Linux math bits, and you have contradicted your own User-Agent.

They (or rather the LLM that wrote this) missed that this is possibly fingerprintable to browser version range, which is slightly more interesting. Most users aren't spoofing their user agent headers to be a different operating system. Most fingerprinting solutions aren't trying to infer your operating system, they only care about semi-unique things that show up.

It's an interesting finding. I wish they had taken some time to have a real person write it up. This is too heavily LLM written to ignore.

show 3 replies
jeroenhdtoday at 9:32 PM

Kind of a smart move by this company: write up an AI analysis of all fingerprinting techniques in hopes they get fixed after outrage so their scraping company can make more money. If it weren't for companies like this, fingerprinting wouldn't be so ubiquitous and the internet would be a better place in general.

I prefer articles like this coming from the other side of the battle (fingerprint.js and friends) because at least their motives are clear.

show 1 reply
sjrdtoday at 9:23 PM

I guess that's one more good reason to push for correctly rounded transcendental functions. I recently learned that they're basically solved now. [1]

[1] https://arith2026.org/program.html (2nd keynote)

show 2 replies
IvanK_nettoday at 10:52 PM

I think the screen resolution is also fingerprintable. That is why a browser should resize your window to a random size each time you visit a website.

Retr0idtoday at 9:25 PM

Thanks for the writeup, claude

show 1 reply
coppsilgoldtoday at 10:12 PM

Even Tor Browser (/mullvad-browser) gave up trying to obscure the operating system, though arguably they shouldn't have. There appear to be too many fingerprinting vectors.

fweimertoday at 10:30 PM

Recent glibc uses the correctly rounded tanh from CORE-MATH, so it returns different values than what's quoted in the article. It's unclear today if it's possible to achieve reasonable performance for other transcendental functions with correct rounding, so other functions have their own unique fingerprints.

qurrentoday at 9:54 PM

just inject this with your favorite JS injection plugin

    let oldTanh = Math.tanh;
    Math.tanh = x => oldTanh(x) + Math.random()/10000000;
show 3 replies
torginustoday at 10:02 PM

What I don't get is that Chrome is hundreds of megabytes of just executable code, I assumed they statically linked half the userland. Also, I though tanh isn't a function, but an intrinsic emitted by the JS JIt that uses CPU instructions - which might be fingerprintable as well, but it's weird that for a math operation, you need to branch to a 'dlsym()' function.

joahnn_stoday at 9:12 PM

We noticed Chromium Math.tanh since v148 returned a different result, so we dig it - it's now a fingerprintable surface to retrieve the OS Chromium run on

andaitoday at 10:25 PM

I am not the NSA, but on an unrelated note, this delights me!

drnick1today at 9:29 PM

This is interesting, but even without relying on JS, most users are already fingerprintable by the combination of IP + user agent.

a-dubtoday at 9:35 PM

how hardened are modern browsers with respect to detecting underlying os? seems like there would be loads of gaps?

ameliustoday at 9:36 PM

Can't we make fingerprinting illegal, as in, jailtime illegal?

Would not solve everything but still help a lot.

show 4 replies
mrsssnaketoday at 9:53 PM

JavaScript was a mistake.

show 1 reply
dmitrygrtoday at 9:19 PM

Interesting reporting, marred by obvious llm-slop-sounding writing. "You are not building..., you are ..."

show 1 reply
WarOnPrivacytoday at 10:39 PM

[dead]

rafeuddarajtoday at 9:35 PM

[flagged]