User tracking across sites using Math.random()

User tracking across sites using Math.random()

Announced

June 22, 2010

Reporter

Amit Klein

Impact

Low

Products

Firefox, SeaMonkey

Fixed in

• Firefox 3.5.10
• Firefox 3.5.12
• Firefox 3.6.4
• Firefox 3.6.9
• SeaMonkey 2.0.5

Description

Security researcher Amit Klein reported that it was possible to reverse engineer the value used to seed Math.random(). Since the pseudo-random number generator was only seeded once per browsing session, this seed value could be used as a unique token to identify and track users across different web sites.

Update (October 27, 2010): After the Firefox 3.6.4 and Firefox 3.5.10 releases, Amit Klein reported that there was an additional unfixed case where user tracking could occur using the above-mentioned technique and a pop-up window or iframe that was subsequently navigated by the user. This additional variant is identified as CVE-2010-3171.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=475585
• CVE-2008-5913

• https://bugzilla.mozilla.org/show_bug.cgi?id=577512
• CVE-2010-3171