Canvas Fingerprinting

Posted by janandonly 10/26/2024

Canvas Fingerprinting(browserleaks.com)

101 points | 117 commentspage 2

iforgotmysocks 10/27/2024|

Currently use Safari and there's no protection against canvas fingerprinting :(

https://webkit.org/tracking-prevention/#anti-fingerprinting

galad87 10/27/2024|

There is, try to load the website again in a new window or tab, it will show a different fingerprint.

ruthmarx 10/27/2024||

What I find more interesting is how some sites can detect your OS even if you block JS and change the user agent to indicate something different. I assume it's checking for known fonts or something similar.

trod123 10/27/2024||

Fonts are the low hanging fruit. More sophisticated servers run a whole battery of hardware fingerprinting tests. It runs deep.

If the device has been powered on for a certain period of time (usually a few minutes), the voltage normalizes and you get a unique clock skew signature based on the defects of the silicon, for each enumerable device that may be available from various JS API calls, or potential zero days, adds another data point for uniqueness.

Passive listenings of local network traffic headers will provide a local network topology of metadata of local proximity devices that can often be cross referenced (since cable modems often collect this info as well as other embedded devices).

Its a strategy called building a bridge. You start from the device which has an associated profile, that profile only need to be unique and may only start off as an identifier (nothing else) and the endpoint and you meet somewhere in the middle, backfilling information as you go. No personal info needed upfront.

CSS previous visited link decorators is another avenue for fingerprinting. It violates same-domain policy, but there was a PoF back in 2021 where you could generate picture squares identical to a captcha asking for specific picture or puzzle that was generated to be tied to the CSS decorator (thus submitting your browser history beacons to that site in its entirety). Think it was varun.ch?

varun_ch 10/27/2024|||

https://varun.ch/posts/history/ :)

Nadya 10/27/2024||

That's a good assumption because that's exactly one way it is done. :)

chvid 10/27/2024||

I am on Safari and if I open two private windows with this websites it will give me two different signature values.

Chrome on the other hand will be give me two identical values.

So I guess Apple is doing something ...

bhouston 10/27/2024||

I am confused.

You can already ask the browser what OS, CPU, device and browser it is without fingerprinting the canvas. You can get the version of the browser, and OS as well.

I use the popular US-Parser-JS library, works like a charm: https://www.npmjs.com/package/ua-parser-js. (I use it for https://web3dsurvey.com.)

(Also the WebGL and WebGPU APIs will also tell you the GPU hardware you have.)

efilife 10/27/2024||

Canvases can vary very slighly between users' setups. The inconsistencies in rendering are used to fingerprint

And to my knowledge you can't ask the browser about the cpu, only the number of cores. The regular fingerprinting you described would be just an user agent string that can be trivially spoofed

bhouston 10/27/2024||

> Canvases can vary very slighly between users' setups. The inconsistencies in rendering are used to fingerprint

I think it overlaps mostly with OS, CPU, Browser, GPU Type, GPU driver version. These can already be queried by UA string and WebGL/WebGPU. It is easier to query them explicitly for most users but I guess canvas fingerprinting is a fallback for when these APIs do not return some of the data.

> And to my knowledge you can't ask the browser about the cpu, only the number of cores.

Generally you can. Not all browsers give up all info, but most browsers give up most of the info. Here is a demo of what you get from ua parsing: https://uaparser.dev/#demo

IggleSniggle 10/27/2024||

Years ago you could get crazy specific fingerprints from canvas. It got far less precise when Chrome introduced jitter into timers and treated performance timers as security sensitive functions. The main difference between canvas and this other stuff is that canvas couldn't be spoofed whereas everything else could and can be spoofed, or was so general as to be useless as an identifier.

Jerrrry 10/27/2024|||

The granularity of the performance timers were too specific, allowing the number of cores to be deduced by the amount of time it took to do certain math functions.

Those certain math functions happen to be floating point operations that are ordered in a way to maximize the inaccuracy property off floating point types.

These inaccuracies are very correlatable.

trod123 10/27/2024|||

That's not true.

The jitter had very little intended effect since accurate system timing can be derived from the instruction processing time of arbitrary javascript code in a mostly browser agnostic way, specifically iteration (i=i+1). It applied broadly to a large number of different types of instructions

IggleSniggle 10/30/2024||

But how do you measure the timing of those instructions without a precise timer? Yes it was the instructions that produce the reproducible timing, and that timing will be consistent on the system, but the measurement of those timings from the performance timers will not display that same consistency. Is there another way to measure from a within-session context?

0points 10/27/2024||

> I am confused.

> You can already ask the browser what OS, CPU, device and browser it is without fingerprinting the canvas. You can get the version of the browser, and OS as well.

Fingerprinting is not about detecting your user agent, it is about detecting YOU in a sea of otherwise identical user agent strings.

krunck 10/27/2024||

My Brave browser seems to be 100% unique.

Beijinger 10/27/2024|

It should give a fingerprint. Try to reload in another tab and see if you stay unique and if the fingerprint changes. I am also unique, but I always stay unique ;-)

atum47 10/27/2024||

Apple once disabled canvas for their devices for this reason and broke all my apps, haha.

80% of my projects use canvas

jagged-chisel 10/27/2024||

“It's very likely that your web browser is Google Search App …”

It’s not. Do I win?

DeathArrow 10/27/2024||

>It's very likely that your web browser is Chrome and your operating system is Android.

Android guess is correct. But the browser is Edge, not Chrome.

wwwtyro 10/27/2024||

I know my priorities are questionable, but I'm more annoyed that I can't expect consistent canvas rendering.