Kind of a smart move by this company: write up an AI analysis of all fingerprinting techniques in hopes they get fixed after outrage so their scraping company can make more money. If it weren't for companies like this, fingerprinting wouldn't be so ubiquitous and the internet would be a better place in general.
I prefer articles like this coming from the other side of the battle (fingerprint.js and friends) because at least their motives are clear.
I guess that's one more good reason to push for correctly rounded transcendental functions. I recently learned that they're basically solved now. [1]
[1] https://arith2026.org/program.html (2nd keynote)
I think the screen resolution is also fingerprintable. That is why a browser should resize your window to a random size each time you visit a website.
Even Tor Browser (/mullvad-browser) gave up trying to obscure the operating system, though arguably they shouldn't have. There appear to be too many fingerprinting vectors.
Recent glibc uses the correctly rounded tanh from CORE-MATH, so it returns different values than what's quoted in the article. It's unclear today if it's possible to achieve reasonable performance for other transcendental functions with correct rounding, so other functions have their own unique fingerprints.
just inject this with your favorite JS injection plugin
let oldTanh = Math.tanh;
Math.tanh = x => oldTanh(x) + Math.random()/10000000;What I don't get is that Chrome is hundreds of megabytes of just executable code, I assumed they statically linked half the userland. Also, I though tanh isn't a function, but an intrinsic emitted by the JS JIt that uses CPU instructions - which might be fingerprintable as well, but it's weird that for a math operation, you need to branch to a 'dlsym()' function.
We noticed Chromium Math.tanh since v148 returned a different result, so we dig it - it's now a fingerprintable surface to retrieve the OS Chromium run on
I am not the NSA, but on an unrelated note, this delights me!
This is interesting, but even without relying on JS, most users are already fingerprintable by the combination of IP + user agent.
how hardened are modern browsers with respect to detecting underlying os? seems like there would be loads of gaps?
Can't we make fingerprinting illegal, as in, jailtime illegal?
Would not solve everything but still help a lot.
Interesting reporting, marred by obvious llm-slop-sounding writing. "You are not building..., you are ..."
[dead]
[flagged]
> One tanh call on the right input is a per-OS signature. Claim macOS, return Linux math bits, and you have contradicted your own User-Agent.
They (or rather the LLM that wrote this) missed that this is possibly fingerprintable to browser version range, which is slightly more interesting. Most users aren't spoofing their user agent headers to be a different operating system. Most fingerprinting solutions aren't trying to infer your operating system, they only care about semi-unique things that show up.
It's an interesting finding. I wish they had taken some time to have a real person write it up. This is too heavily LLM written to ignore.