Yet Another Way You Can Be Fingerprinted While Using Tor


Notice: This doesn’t mean that Tor is broken.

Security Enthusiast Jose Carlos Norte recently made a blog post detailing how Tor Browser users can be uniquely fingerprinted using the mouse wheel, mouse speed, a CPU benchmark, and “getClientRects”.

A POC (proof-of-concept) is available to try out which utilizes the methods he goes over.

Right off the bat, Norte explains that these methods rely on javascript.

“All the provided fingerprinting methods are based on javascript (enabled by default in tor browser as of today).”

Norte quickly noticed that the Tor Browser implemented a counter measure against fingerprinting methods that relied on time accuracy – which is something that he needed. He noted that “there are a lot of ways to measure times smaller than 100ms using javascript in tor browser, some are obvious, or ther [sic] are intersting [sic]”, and so, he was able to get around this countermeasure with ease.

With that out of the way, Norte moved on to fingerprinting the mouse wheel where he states that “the mouse wheel event in Tor Browser (and most browsers) leaks information of the underlying hardware used to scroll the webpage.” He contrasted what’s leaked when you use a regular mouse or a trackpad:

“The event provides information about the delta scrolled, however if you are using a normal computer mouse with a mouse wheel, the delta is always three, but if you are using a trackpad, the deltas are variable and related to your trackpad and your usage patterns.”

He also stated another fingerprinting vector is the mouse’s scroll speed.

A POC for this method is available as well.

Because the time accuracy countermeasure was bypassed, Norte said that it would be “easy to create a CPU intensive script (or even memory intensive) and measure how long it takes for the user browser to execute it.” This could be used to fingerprint users as when he ran tests on different computers they all returned different results.

Another fingerprinting vector that Norte found – one that he described as “interesting” – utilizes getClientRects, which is described by Mozilla as a “method [that] returns a collection of rectangles that indicate the bounding rectangles for each box in a client.”

Norte remarked at how it was “strange that reading back from a canvas has been prevented but simply asking the browser javascript API how a specific DOM elements has been drawn on the screen has not been prevented or protected in any way.”

He even stated that this method was better than fingerprinting users using the canvas.

In an online chat with Motherboard, Norte said that “Every user moves the mouse in a unique way”, where he then went on to say “The only solution is to deactivate Javascript completely, As long as there’s Javascript, they’ll be able to fingerprint you, one way or the other.”

Share and Enjoy

  • FacebookFacebook
  • TwitterTwitter
  • DeliciousDelicious
  • LinkedInLinkedIn
  • StumbleUponStumbleUpon
  • Add to favoritesAdd to favorites
  • EmailEmail
mm – leading Bitcoin News source since 2012

Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to consumer protections. The information does not constitute investment advice or an offer to invest.