How HTML5 APIs can fingerprint users
Antonio Gioia, 2015
Warning: some configuration procedures might be different on current browser versions
If you think that IP address, cookies and HTTP headers are the only factors used to uniquely identify and track users around the web… you are terribly wrong!
New, modern fingerprinting techniques rely on multiple factors:
- IP address
- Language settings
- HTTP headers (User agent, referer, etc)
- HTML5 APIs (WebRTC, Battery API, etc)
- HTML5 and CSS3 features detection
- CSS media queries
- Browser plugins (Flash, Silverlight, Java, etc)
- Browser add-ons
- Browser options (Do-Not-Track etc)
- Browser storage
- System fonts
- TLS/SSL Session IDs
- Hardware detection (Camera, Mic, Touch screen, etc)
- Screen (resolution, color depth, pixel density, etc)
- Audio and video codecs
- Accessibility features
And the list goes on. Recent W3C additions to HTML standards allow developers to communicate with the user device for enhanced options in websites, apps or games. It is not surprising that many APIs are exploited to actually calculate a more precise user fingerprint.
What is a fingerprint?
Imagine you walk in a shop and at the entrance an advanced camera scans you and saves informations like: body type, height, skin color, walk style, tone of voice etc. All this data is then serialized and passed through a hashing function to calculate your unique fingerprint. Next time you visit the shop or a shop of the same franchise, even if you have different dressing style, with a quick analysis your fingerprint is still associable to the one of your previous visit.
The same happens visiting a webpage with a browser (without user explicit cooperation).
Doesn’t matter you are not logged in or you disable cookies. It is still possible to associate a user to a token, it is not 100% accurate technique (yet) but continues to evolve.
Electronic Frontier Foundation researched browser fingerprinting in the publication “How unique is your Web Browser?” (PDF). An accurate description of device fingerprinting is on WebKit Wiki and on "Device fingerprint" article on Wikipedia.
When the browser visits a webpage with a canvas fingerprinting script, it is instructed to draw a hidden graphic that gets converted to a token. The uniqueness of the token depends by factors like browser, operating system and installed graphics hardware.
To avoid Canvas fingerprinting you can either:
- use uBlock Origin (available for any browser) or CanvasFingerprintBlock (Chrome only) extensions
- use Tor Browser
According to researches Battery Status API is able to get level, charging time and discharging time of device battery. All this data combined together is nearly unique for each device and battery status, potentially allowing the tracking of activities on the web.
A paper titled “The leaking battery – A privacy analysis of the HTML5 Battery Status API” (PDF) targets Firefox users on Linux systems. As result of the impressive study: ”We propose minor modications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study. Our bug report for Firefox was accepted and a fix is deployed.”
On Chrome you can install the add-on Battery Info Blocker to prevent websites from accessing your battery info.
You should disable WebRTC if you don’t use it. WebRTC leaks your local IP and might leak your IP on VPN (on Windows) other than be another factor used to fingerprint your system. Test WebRTC leaks on you browser.
To avoid WebRTC leaks you should use Firefox and disable WebRTC opening
about:config, find the value
media.peerconnection.enabled and set it to
On Chrome you can install the add-on uBlock Origin and check the extension options.
Developers can use this API to collect complete timing information related to resources on a document. Concerns involving privacy are expressed in the Resource Timing Working Draft: “Statistical fingerprinting is a privacy concern where a malicious web site may determine whether a user has visited a third-party web site by measuring the timing of cache hits and misses of resources in the third-party web site.“
If you use Firefox you can disable this API opening
about:config and setting to
false the options
If geolocation is enabled can reveal your physical location compromising your privacy. Modern browsers and apps always ask permission to get geo location data.
To disable this feature permanently on Firefox you should open
about:config in the address bar, look for
geo.enabled value and set it to
On Chrome go to Settings, then Show advanced settings, find Privacy block and click on Content settings, in this window look for Location and select the option Do not allow any site to track your physical location.
A paper titled “Hardware Fingerprinting Using HTML5” (PDF) shows new potential techniques that rely on the ability to communicate with device hardware to get a specific hardware fingerprint in addition to a software based one (browser, Os, etc).
The paper shows that hardware like GPU (modern browsers use hardware acceleration), camera, speakers and mic, motion sensors, GPS and battery can all be accessed with HTML5 (not always with user permission) and in particular GPU can effectively be used to fingerprint users.
- Device fingerprinting
- What is fingerprinting?
- EFF: How Unique Is Your Web Browser? (PDF)
- EFF: Panopticlick tests your browser to see how unique it is
- The Web never forgets: Persistent tracking mechanisms in the wild
- A privacy analysis of the HTML5 Battery Status API (PDF)
- Hardware Fingerprinting Using HTML5 (PDF)
- Browser leaks and web browser fingerprinting
- Modern & flexible browser fingerprinting library
Feel free to save or share this article. If you notice a mistake or want to contribute to a revision of the article contact me at email@example.com.