Notice: This doesn’t mean that Tor is broken.
Security Enthusiast Jose Carlos Norte recently made a blog post detailing how Tor Browser users can be uniquely fingerprinted using the mouse wheel, mouse speed, a CPU benchmark, and “getClientRects”.
A POC (proof-of-concept) is available to try out which utilizes the methods he goes over.
With that out of the way, Norte moved on to fingerprinting the mouse wheel where he states that “the mouse wheel event in Tor Browser (and most browsers) leaks information of the underlying hardware used to scroll the webpage.” He contrasted what’s leaked when you use a regular mouse or a trackpad:
“The event provides information about the delta scrolled, however if you are using a normal computer mouse with a mouse wheel, the delta is always three, but if you are using a trackpad, the deltas are variable and related to your trackpad and your usage patterns.”
He also stated another fingerprinting vector is the mouse’s scroll speed.
A POC for this method is available as well.
Because the time accuracy countermeasure was bypassed, Norte said that it would be “easy to create a CPU intensive script (or even memory intensive) and measure how long it takes for the user browser to execute it.” This could be used to fingerprint users as when he ran tests on different computers they all returned different results.
Another fingerprinting vector that Norte found – one that he described as “interesting” – utilizes getClientRects, which is described by Mozilla as a “method [that] returns a collection of rectangles that indicate the bounding rectangles for each box in a client.”
He even stated that this method was better than fingerprinting users using the canvas.