Researcher claims to identify Tor users by mouse movements

News by Robert Abel

A security researcher has developed a proof-of-concept that can identify Tor users based how they move their mouse.

A Barcelona-based security researcher has developed a proof-of-concept that he claims can identify Tor users based how they move their mice.

Researcher Jose Carlos Norte has developed a series of fingerprinting methods based on JavaScript that measure time, mouse wheel movements, mouse speed movements, CPU benchmarks and getClientRects, according to a 6 March post on the researcher's site.

Norte said if a website is able to generate a unique fingerprint that identifies each user that enters the page then it is possible to track a user's activity and correlate visits with that user.

“Every user moves the mouse in a unique way,” Norte told Vice's Motherboard in an online chat. “If you can observe those movements in enough pages the user visits outside of Tor, you can create a unique fingerprint for that user,” he said. Norte recommended users disable JavaScript to avoid being fingerprinted.

Security researcher Lukasz Olejnik told Motherboard he doubted Norte's findings and said a threat actor would need much more information, such as acceleration, angle of curvature, curvature distance, and other data, to uniquely fingerprint a user. attempted to contact the Tor Project for comment, but it has yet to respond. However, it appears that developers are looking into the issue based on two official bug reports that mention Norte's exploits. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop