Skip to content

[hackerone] performance.now and other timing APIs are fingerprinting vectors #24681

@arthuredelstein

Description

@arthuredelstein

Description

From joe12387:

performance.now() can be used to create a persistent cross-site tracking fingerprint...

This code allows you to track a user from site to site, it does not detect if a user is using Brave. My fingerprint is [0.09999990463256836, 0.10000014305114746], while other machines will have a different value.

This is very easy to fix, all you have to do is round the output of performance.now() into an integer and the script will always return [1,1].

Steps to Reproduce

See https://github.com/Joe12387/OP-Fingerprinting-Script/blob/b4b196f5a6196bacf2dc041b064f877dafafface/opfs.js#L443

See also: #2952

Metadata

Metadata

Type

No type

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions