Skip to content

[hackerone] performance.now and other timing APIs are fingerprinting vectors #24681

Closed
brave/brave-core
#15309
Closed
[hackerone] performance.now and other timing APIs are fingerprinting vectors#24681
brave/brave-core
#15309
Assignees
arthuredelstein
Labels
OS/AndroidFixes related to Android browser functionalityOS/DesktopQA Pass - Android ARMQA Pass-Win64QA Pass-macOSQA/Yesrelease-notes/includesecurity
Milestone
1.47.x - Release
@arthuredelstein

Description

@arthuredelstein
arthuredelstein
opened on Aug 15, 2022

Description

From joe12387:

performance.now() can be used to create a persistent cross-site tracking fingerprint...

This code allows you to track a user from site to site, it does not detect if a user is using Brave. My fingerprint is [0.09999990463256836, 0.10000014305114746], while other machines will have a different value.

This is very easy to fix, all you have to do is round the output of performance.now() into an integer and the script will always return [1,1].

Steps to Reproduce

See https://github.com/Joe12387/OP-Fingerprinting-Script/blob/b4b196f5a6196bacf2dc041b064f877dafafface/opfs.js#L443

See also: #2952

Metadata

Metadata

Assignees

Labels

OS/AndroidFixes related to Android browser functionalityOS/DesktopQA Pass - Android ARMQA Pass-Win64QA Pass-macOSQA/Yesrelease-notes/includesecurity

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions