Any security professional will tell you that diversity is a good thing; if you use enough different products, it is highly unlikely that all of them will have the same security issue. While this is mostly correct, Amit Klein at Trusteer just released a report (PDF) about a privacy issue that affects all major browsers (Internet Explorer, Firefox, Chrome, Safari and Opera) in almost the same way.

browser-logo-major

The scenario’s detailed by Amit show a completely new way of doing user tracking, that works without using cookies or recording IP addresses. Instead, a “fingerprint” of the browser instance is generated by using information leaks in Javascript’s Math.random implementation and the boundary string used when uploading “multipart/form” data. Because the information is generated on-the-fly, the browser’s fingerprint can be accessed from any site, which is useful for tracking a user across many different websites.

Also, the method works regardless of “Private Browsing”, “Incognito” or “InPrivate” mode; the information is still accessible in these private modes. The main limitation is that only a browser instance is fingerprinted; as soon as the webbrowser is restarted, a new fingerprint is generated.

The root cause of this information leakage is “very weak crypto for random number generation”, which makes it easy to predict supposedly random numbers, and might even make it possible to extract the seed used to initialize the PRNG. The advice of the author is to frequently restart your browsers, and for web application developers not to rely on the randomness of the Math.random() function.

The bug has been fixed in WebKit 39553 or later (including Safari 4.0); Microsoft has indicated that a fix might be in an upcoming service pack. Mozilla has assigned bugs 464071 and 475585, which is still open. While Opera was not included in the initial report, their security team got word of these issues and requested additional information, after which they included fixes for these issues in Opera 9.64.

I think this shows that some browser makers don’t consider privacy to be a major issue; while it has been shown before that “private” browsing modes still leave lots of information that can identify a particular user, the lack of interest that some vendors have shown still amazes me.