Researchers develop cross-browser fingerprinting technique

Researchers have developed a cross-browser fingerprinting technique that uses operating system and hardware level features.

Fingerprinting has been limited for the most part to individual web browsers in the past. If a user switched browsers regularly, fingerprinting could not be used to link the user to these browsers.

Fingerprinting tests like the Electronic Frontier Foundation's Panopticlick or BrowserPrint, try to gather data about the browser and underlying operating system. They use all the data to create a fingerprint of the browser/computer combination, and may be able to do the same in future sessions.

Cross-browser fingerprinting was out of the picture up until now. While other methods existed to track users across browsers, for instance by requiring them to sign into accounts to use a service or recording IP addresses, no fingerprinting method came close to providing a working solution.

Cross-browser fingerprinting

cross browser fingerprinting

The researchers who published the research paper (Cross-)Browser Fingerprinting via OS and
Hardware Level Features think that they have found a way.

In the paper, we propose a (cross-)browser fingerprinting based on many novel OS and hardware level features, e.g., these from graphics card, CPU, audio stack, and installed
writing scripts. Specifically, because many of such OS and hardware level functions are exposed to JavaScript via browser APIs, we can extract features when asking the browser to perform certain tasks through these APIs. The extracted features can be used for both single- and cross-browser fingerprinting.

They have created an online service that demonstrates the fingerprinting technique. It is called Unique Machine, and works on any device that supports JavaScript.

A click on Get My Fingerprint starts the process. It works, if JavaScript is enabled, and if connections to a few sites are allowed. The scan takes a couple of seconds to complete.

get fingerprint

The result is a browser fingerprint, and also a computer fingerprint; the latter is not finalized yet and still in development.

You may hit the details button on the Unique Machine website for the list of tested cross-browser features.

The following features are tested currently:

  • Time Zone.
  • Number of CPU Cores.
  • Fonts.
  • Audio.
  • Screen Ratio and depth.
  • WebGL.
  • Ad Blocking.
  • Canvas.
  • Cookies.
  • Encoding.
  • GPU.
  • Hash values of GPU rendering results.
  • Language.
  • Plugins.

The idea is now that you will get similar results when you use a different browser on the same system to run the fingerprinting test a second time.

The researchers state that the technique identified 99.2% of users correctly. The sample size is a bit small, 1903 users and 3615 fingerprint samples.

I ran tests on a machine using different browsers, and results were mixed. The computer fingerprint was identical when I ran the fingerprinting test in Chrome, Chrome Canary and Vivaldi, but different in Firefox and Edge.

The three browsers the hash was identical in are all based on Chromium. This is probably the reason why the fingerprint was identical.

The source code of the cross browser fingerprinting site is available on GitHub.

Now You: Did you cross-browser fingerprinting work on your devices?

Summary
Article Name
Researchers develop cross-browser fingerprinting technique
Description
Researchers have developed a cross-browser fingerprinting technique that uses operating system and hardware level features.
Author
Publisher
Ghacks Technology News
Logo
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Researchers develop cross-browser fingerprinting technique

  1. Timmie February 14, 2017 at 4:21 pm #

    holy shit, they got my computer id right. i tested on firefox and ie and the test was able to identify the computer. this proves that all that privacy related addons are all BS.

    • Martin Brinkmann February 14, 2017 at 4:32 pm #

      Solution: use as many different values for anything that they test. Or, use NoScript ;)

    • _Handsome_Jack February 14, 2017 at 4:50 pm #

      Which add-ons were you using that didn't protect you ?

      Spoofing is very hard to get right, if at all possible. IMO only a browser can do it right. An add-on could probably succeed but it's hard, and since it is only used by a small # of people, there's a risk of counterproductivity. I wouldn't dismiss all spoofing add-ons, just saying that this approach to fingerprinting protection is particularly tricky.
      Random Agent Spoofer for instance tries pretty hard. I don't know if it's enough for me to trust it but it's way better than simple user agent spoofing.

      So instead of spoofing, you can block. That's the most sure-fire defence to this day.

  2. _Handsome_Jack February 14, 2017 at 4:28 pm #

    Solution for Firefox:
    - NoScript
    - privacy.resistFingerprinting (a feature in development that is meant to enable Tor Browser grade protection when it's ready)

    For Tor Browser:
    - Increase security slider so scripts are disabled globally

    In the future, it would be nice that browsers be able to filter scripts for fingerprinting attacks, like they do to protect themselves against security exploits. E.g.:
    - Turn fingerprinting libraries into a bunch of empty functions with the same signature, similarly to what NoScript does with Google Analytics for site compatibility reasons.
    - Filter XHR and submits so fingerprinting libs that were not caught can't send the results of their work back home.

    That way JavaScript doesn't have to be turned off. In 20 years, will there be any website left that works without JavaScript ? Better fix it before that happens.

    • MdN February 15, 2017 at 1:15 pm #

      Got stuck at "Running, Fingerprinting GPU..." with Opera, using uMatrix. I guess they can only do it if I enable something on the page that is disabled by default by this extension.

      • spinnin fingers February 19, 2017 at 3:20 am #

        I can confirm this. Same result here. with PALEMOON 27.0.3 (x64) + uMatrix + uBlock Origin (for years I also use quickjava, but today with GL RTC SL C A J and F turned off )

        She's spinnin that's it.

  3. Toaster February 14, 2017 at 4:58 pm #

    Am I to understand that if JavaScript is enabled, only then can my machine be read? Since I don't use Javascript, I'm immune? I ran it the link with FF 51 and an assortment of blockers: github, disconnect, random agent spoofer, a vpn, disable webrtc.

    And this is their result: "Your graphics card does not seem to support WebGL.Find out how to get it here." I clicked the link. Nothing happened. So does that mean my machine can't be read? Am I protected?

    • _Handsome_Jack February 14, 2017 at 5:16 pm #

      Yes you are, because of NoScript which blocks the tests that are most useful in building a unique fingerprint. Some tests could still succeed in the wild (even if the demo fails), but they are fewer and less "talkative".

      That's where Random Agent Spoofer helped in your case, as it spoofs these values. I can't tell you for sure whether this spoofing is effective or counterproductive, but with JavaScript disabled and provided you are spoofing a Firefox browser rather than a Chrome one, I would call it effective.

      All they should be able to infer from Martin's list is that you are using a VPN, an ad-blocker and blocking scripts. (Assuming you didn't forget anything in your list)

      That still makes you a rare bird on the web, but not unique. More importantly your exposure to attacks is greatly diminished, that's where most of your protection comes from.

  4. rramprasad February 14, 2017 at 5:37 pm #

    this cross browser fingerprint system is a very good idea.

    • alfie February 15, 2017 at 5:58 pm #

      asshat!

  5. Ray February 14, 2017 at 6:12 pm #

    You could also just turn off WebGL and the fingerprinting for this test would fail to generate.

    But, I guess that would also make you unique, but on par with disabling JS on tests like these.

    • Grul February 14, 2017 at 6:29 pm #

      But there are plenty of other tests :)

  6. [email protected] February 14, 2017 at 6:40 pm #

    Just disable WebGL and don't give your browser direct access to your hardware.

  7. Joey Spinosa February 14, 2017 at 7:47 pm #

    Wow, Martin... Wow.

    This thing is scary. I tried it, and like others here using Firefox, it was able to get a pretty good fingerprint for me. A couple of points for the novices among us:

    1) This has nothing to do with your IP address or data encryption... This means if you use a secure VPN (as I do) it won't make a spit of difference.

    2) The consensus seems to be to block or disable Javascript. I tried that. It works. Trouble is, seems that everything I do online, important stuff, like my personal banking, won't work anymore. Can anyone give an approximation of how many sites require Javascript? More important, are sites that require logins and passwords, are these sites using Javascript to produce their pop-up sign-in screens? It appears that way to me.

    I'll get a bit personal here, because I really want to know... I'm retired now, but I worked in IT most of my adult life. I'm pretty knowledgeable concerning Windows OS and Networking, perhaps less so with browsers and web-page creation and tools such as Javascript. I use a password manager (Dashlane) and I have no less than 81 accounts set-up with strong passwords. Being retired and far less mobile than I used to be, I do everything online... Shopping, paying bills, medical stuff, (Yes I'm also a full-fledged AARP guy). Out of those 81 (secure?) accounts, I probably need to use about a dozen on a daily/monthly basis.

    Those are the ones I tried with Javascript blocked in Firefox, and EVERY single one failed to load or get me signed in to the account.

    I read Ghacks just about daily. You folks, for the most part, are very helpful and always quite clever.

    I already use a VPN (OpenVPN with the OpenVPN Private tunnel client), I use Dashlane, I have maybe three extensions loaded in Firefox. I have tweaked Firefox so that it is mildly locked down. I do clear all history's upon exit. When Dashlane is working properly, it's no trouble that the browser starts with zero history, cookies, etc. because Dashlane makes it so simple to zip right on to my accounts, even those with multi-step logon sequences (once you configure Dashlane properly).

    I spent a good deal of time deep in the confines of a corporate networking department, so I run a home network and do all my antivirus with hardware at the gateway (where AV should reside) my ISP is AT&T and their modem/router is crap, (but it is required to get the WAN) and I have a first rate router directly behind it and it's locked down (Made by ASUS, hardware firewall by TrendMicro).

    So what, good friends, is the proper solution here? I'm not an evil doer, I just value my privacy. If I were younger, I'd still do all my banking and medical things in person. No internet. That's not the case anymore.

    I really don't like this finger-print thing. It really rubs me the wrong way.
    Thanks in advance for any advice you can offer. For me, this is more important than the "principal" of privacy. The things I do online are important to my life. Seriously. One day you will be old and in the same boat!
    Thanks, Best Regards,
    Mr. Joey

    • Don February 14, 2017 at 10:27 pm #

      I guess the trick is to use the NoScript or similar addon, and whitelist the sites you trust, like you banking site.

    • _Handsome_Jack February 15, 2017 at 10:06 pm #

      Use a different profile for banking or buying stuff than you do for regular surfing. Though Containers may let you keep everything in one profile without worry, when it's released.

      I'm a NoScript user but an interesting profile is the following one:
      - Use uBlock Origin in mostly default mode, with a bunch of filters
      - Use uMatrix in default deny mode making sure you don't have duplicate filters with uBlock
      - Allow permanently the resources needed for your bank, maybe a couple other sites involving money.
      - Don't use the profile for anything else
      - Clear all data when you're done with a session

      This way the main threats are all thwarted: Ads, 3rd party resources, basically all network requests that don't go to the relevant company you are dealing with are blocked. But since you don't have many other changes within this Firefox profile, they work perfectly without any intervention past the first visit.

      Don't hide your real IP or fingerprint to them. You're giving them your credit card number anyway, and in particular banks make use of JavaScript to increase security too. You just need to make sure the companies can't track you with your everyday profile, and if they sell your data, that companies who acquire it won't be able to link it to your main identity as you visit them or load them as third parties.

  8. hessam February 14, 2017 at 8:00 pm #

    this just can detect this from pc
    Fingerprinting GPU...
    Your graphics card does not seem to support WebGL.
    Find out how to get it here.

    and nothing more.
    here addon i installed.i think no-resource-uri-leak will block all except above
    https://addons.mozilla.org/en-US/firefox/addon/browser-jsguard/
    https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak
    real profile
    https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer
    https://addons.mozilla.org/en-US/firefox/addon/refcontrol
    https://addons.mozilla.org/en-US/firefox/addon/pop-up-control/

    firefox 45.7 esr

  9. RossN February 14, 2017 at 8:11 pm #

    Your graphics card does not seem to support WebGL.
    Thanks Brave!

  10. John Trollinski February 14, 2017 at 8:13 pm #

    * Time Zone = (This can be changed at the operating system level, its recommended before using a VPN)
    * Number of CPU Cores = (Diffucult to protect agaisnt so far, there are scripts that can spoof "navigator.hardwareConcurrency" in Firefox)
    * Fonts = (Firefox 52 allows you to spoof the fonts using font.system.whitelist)
    * Audio = (Disalble the audio context api in firefox "dom.webaudio.enabled")
    * Screen Ratio and depth = (This can be spoofed using "Random Agent Spoofer" in Firefox)
    * WebGL = (Disable using "webgl.disabled" in Firefox)
    * Ad Blocking = ("uBlock Origin")
    * Canvas = (Block canvas using "Random Agent Spoofer" or spoof it using "canvas defender" in Firefox)
    * Cookies = ("This can be disabled in the browser")
    * Encoding = ("Random Agent Spoofer")
    * GPU = (Research is being devoted to this)
    * Hash values of GPU rendering results = (Research is being devoted to this)
    * Language ("Random Agent Spoofer")
    * Plugins ("Random Agent Spoofer"

    • just my 2 cents February 14, 2017 at 9:19 pm #

      dom.enable_performance => false
      media.navigator.enabled => false
      media.peerconnection.enabled => false
      network.http.referer.trimmingPolicy => 2
      plugin.state.flash => 0
      plugin.state.java => 0
      webgl.disabled => true

  11. Pants February 14, 2017 at 8:43 pm #

    After wholesale blanket allowing JS and XSS to run, I get immediately get the following message: "error getting susan model" ... the page itself has stalled and it bitching about WebGL

    I only have two questions .. who is this susan, and does she have model friends who do not throw errors?

    If the code was robust enough to handle exceptions and not break down.. makes me wonder if the bulk of this relies on WebGL

    Solutions:
    1. reduce the attack surface - disable APIs, control XSS and JS, tighten browser prefs, use extensions for specific granular control
    2. browser initiated solutions such as the tor uplift
    3. and without wanting to discussing the merits of either in depth - either spoof values (lower entropy) or constantly randomize them (raise entropy to the point of being unique all the time). I personally prefer the first, which is TBB's philosophy. There are some flaws in the second approach, lets say you randomize every 15 minutes, that still leaves a 15 minute opportunity to track you across sites - the approach would be a new randomization per domain. That said, there are definitely times you want to spoof - canvas is a good example.

    See "Strategies for Defense: Randomization versus Uniformity" (scroll down a bit into the 4.6 section) - https://www.torproject.org/projects/torbrowser/design/index.html.en#fingerprinting-linkability

    • earthling February 15, 2017 at 2:10 pm #

      "that still leaves a 15 minute opportunity to track you across sites"

      Do you change your IP every 15min or less?

      • Pants February 16, 2017 at 4:12 am #

        That too, is a valid concern. I was looking at the UA in isolation. Frequent/rapid IP changes is a different issue, but yes, there are ways to do it (besides the bleeding obvious of not cross-contamination in OpSec). VPNs allot multiple users to a single IP - and you can manually (automated?) flick to different servers (yes you can manually flick a new random UA, but I wasn't comparing the two). TBB lets you do the same. JoDonym changes your IP every 10 minutes (I think).

        Personally, since I am not currently in a Black Op (after building 7, I said never again), I'm not changing my IP every individual website session.

    • earthling February 15, 2017 at 3:44 pm #

      I like my models like I like my Building 7, going down for no reason

      • Jason February 15, 2017 at 9:27 pm #

        @earthling: Don't make me burst into embarrassing laughter while I'm at a coffee shop!

  12. deadbeef February 14, 2017 at 9:21 pm #

    uMatrix master race:

    * * * allow
    * * cookie block
    * * frame block
    * * plugin block
    * * script block

    • earthling February 15, 2017 at 2:11 pm #

      * * * block
      * * frame block
      * * plugin block
      * 1st-party css allow
      * 1st-party image allow

  13. Tinfoil_hat February 15, 2017 at 9:42 am #

    I found QubesOS a great tool for creating and use multiple browser configuration in different virtual machines This way I can have a browser configuration that my bank find correct to work (and use it only for bank related operations) using that virtual machine, then using another virtual machine with browser settings made to ensure maximum protection for general web surfing, meanwhile another virtual machine aptly made for managing server via VPN.... this way you can simulate different machines with different mac addresses with different configuration for different uses but all of these machines are virtual, that is, can be modified with few mouse cliks in order to have it "new" every time or simply different. I do know that requires a well structured machine with lot of RAM and cores but it is worth of it.
    So a good host computer is required and in my case I got 4 ethernet interfaces, one is always connected to internal LAN the other three are for "WAN" witch I phisically connet to internet gateway only when needed and never the same eth interface for long time.
    There is also another phisical machine simulating "average user" with "average software" with "average tasks" performed just to make things look average and normal.

    • GDP February 15, 2017 at 1:44 pm #

      I haven't tried it yet. Can you try out like 2 default Firefox profiles on 2 different VMs and see if the fingerprints look the same ?

  14. Owl February 15, 2017 at 12:08 pm #

    Mr Joey: It sounds like you are doing a whole lot of things right. Do you have uBlockOrigin? Do those log-in sites work with that? If they do, have you tried 'Prevent WebRTC from leaking local IP addresses'? Options-Dashboard-Settings, (check after each FF upgrade to see that it is ticked). See Ray and [email protected]'s comments.

    What Don said is good. NoScript and whitelisting your sites. Or just NoScript, which won't work with your needed sites, but you could use it for all/most other browsing.

    Maybe, nowadays, partial solutions are all that we can do? Let's face it, its ad trackers, ads and malware we are really blocking.

    • Joey Spinosa February 17, 2017 at 12:33 am #

      Thanks Owl and everybody else on this thread!
      I'm still working things out, but I now have 3 distinct FF profiles. My taskbar FF shortcut runs "firefox.exe -p" which let's me choose the desired profile upon launch.

      One profile for banking and medical ONLY. I originally made this a private window (with the -private switch) but that seems to disable all extensions by default... Unless I'm missing something there.

      One profile for shopping. Yes, Amazon.com and NewEgg.com both know me well. I can't help it. I'm addicted. Feel sorry for me!

      Clearly, I have a lot more to learn about Firefox and extensions. Perhaps I could borrow secret agent "Pants" for a couple days. I know how to cook if that's any incentive :-)

      Couple more observations...
      1) I reckon I'm pretty well invested in Firefox now. Hope Mozilla doesn't screw this up!

      2) On the hardware front, I've always built my own PC's... Used my meager tax refund two years ago to build the current workstation AMD FX8350, 16GBRAM 2x256GB SSD (one of which is an M.2, because, well, the Gaming MB I bought had a slot for it, so I had to check it out!) Radeon 390 graphics, dual Dell 24" screens and there is a NAS on the home network for back-up, it's got a Barricuda 3TB drive inside. I'll probably build again in a couple years, but I've always been a hardware geek (And daily NewEgg e-mails tells me they KNOW it too!)

      I'm counting on Ghacks (looking at you Martin) and all the fine contributors here to make it so my profiles and extensions carry through the upcoming release changes. Let the old man know if I need to stop an upgrade from the mothership (Mozilla) will ya?

      Thanks so much y'all,
      Regards,
      Mr. Joey

  15. Anonymous February 15, 2017 at 1:03 pm #

    And who will search these anonymous? "Researchers" so that we can track them too @#$!?

  16. earthling February 15, 2017 at 3:39 pm #

    IMO the only real solution to deal with this shit is to try and get everyone to use an ad-blocker.
    As soon as those ad-networks notice that nobody sees or clicks their stupid ads anymore, they are most likely bound to stop. So tell everyone you know, friends, family, co-workers, everyone and their grandma to install an ad-blocker, or do it for them when they ask you to help them with a computer problem. We, here, who know a thing or two about computers are not the primary targets of those ad-networks. Let's spread the word, let's drain the ad-networks swamp folks ;)

    • Pants February 16, 2017 at 4:14 am #

      #AlternativeAds - the ones where there are none ;)

Leave a Reply