Since Chromium 148, Math.tanh is now fingerprintable to link underlying OS

joahnn_s 385 points 183 comments July 12, 2026
scrapfly.dev · View on Hacker News

Discussion Highlights (20 comments)

joahnn_s

We noticed Chromium Math.tanh since v148 returned a different result, so we dig it - it's now a fingerprintable surface to retrieve the OS Chromium run on

dmitrygr

Interesting reporting, marred by obvious llm-slop-sounding writing. "You are not building..., you are ..."

sjrd

I guess that's one more good reason to push for correctly rounded transcendental functions. I recently learned that they're basically solved now. [1] [1] https://arith2026.org/program.html (2nd keynote)

Retr0id

Thanks for the writeup, claude

drnick1

This is interesting, but even without relying on JS, most users are already fingerprintable by the combination of IP + user agent.

Aurornis

> One tanh call on the right input is a per-OS signature. Claim macOS, return Linux math bits, and you have contradicted your own User-Agent. They (or rather the LLM that wrote this) missed that this is possibly fingerprintable to browser version range, which is slightly more interesting. Most users aren't spoofing their user agent headers to be a different operating system. Most fingerprinting solutions aren't trying to infer your operating system, they only care about semi-unique things that show up. It's an interesting finding. I wish they had taken some time to have a real person write it up. This is too heavily LLM written to ignore.

jeroenhd

Kind of a smart move by this company: write up an AI analysis of all fingerprinting techniques in hopes they get fixed after outrage so their scraping company can make more money. If it weren't for companies like this, fingerprinting wouldn't be so ubiquitous and the internet would be a better place in general. I prefer articles like this coming from the other side of the battle (fingerprint.js and friends) because at least their motives are clear.

a-dub

how hardened are modern browsers with respect to detecting underlying os? seems like there would be loads of gaps?

amelius

Can't we make fingerprinting illegal, as in, jailtime illegal? Would not solve everything but still help a lot.

mrsssnake

JavaScript was a mistake.

qurren

just inject this with your favorite JS injection plugin let oldTanh = Math.tanh; Math.tanh = x => oldTanh(x) + Math.random()/10000000;

torginus

What I don't get is that Chrome is hundreds of megabytes of just executable code, I assumed they statically linked half the userland. Also, I though tanh isn't a function, but an intrinsic emitted by the JS JIt that uses CPU instructions - which might be fingerprintable as well, but it's weird that for a math operation, you need to branch to a 'dlsym()' function.

coppsilgold

Even Tor Browser (/mullvad-browser) gave up trying to obscure the operating system though arguably they shouldn't have. There appear to be too many fingerprinting vectors.

andai

I am not the NSA, but on an unrelated note, this delights me!

fweimer

Recent glibc uses the correctly rounded tanh from CORE-MATH, so it returns different values than what's quoted in the article. It's unclear today if it's possible to achieve reasonable performance for other transcendental functions with correct rounding, so other functions have their own unique fingerprints.

IvanK_net

I think the screen resolution is also fingerprintable. That is why a browser should resize your window to a random size each time you visit a website.

jmward01

Is this even a fight that is possible to win here? Run enough functions and between timing comparisons (x takes 2.5 y) and rounding (things like this) and I suspect you can nail os/exact machine and possibly even other tasks running on that machine. I'm not sure there is a viable way to stop this. At best just make it a little harder? Society and legislation need to catch up here. It is like a lock on my door. Locks don't stop people. They just deter a few people and delay a couple more but a determined person can (likely very easily) break into my house. That is why we need society to call it out that it isn't right (people avoiding buying things they think are stolen, shunning those that do it, etc etc) and laws that step in (it is a crime to break into my house. real resource dedicated to tracking down and stopping people that do it, etc). A similar approach needs to happen here. It should be illegal to track a person like this and people that get hired at a place using the gains of it should shun those companies and society should shun those companies.

omoikane

I hope this eventually ends up in https://coveryourtracks.eff.org/ so I can see how unique my math functions are relative to a larger population.

luciana1u

Math.tanh as a fingerprinting vector. at this rate the next browser privacy paper will reveal that the number of milliseconds your CPU takes to render an emoji is also uniquely identifying.

eschaton

Sounds almost like allowing web pages to run scripts was a mistake.

Semantic search powered by Rivestack pgvector
14,015 stories · 131,331 chunks indexed