High-Tech, Cross-Browser Fingerprinting
Written by Nikos Vaggalis   
Wednesday, 01 March 2017

Do you trust that getting rid of third party cookies keeps you safe from tracking? Think again as there's a new cross-browser tracking that can follow you no matter how often you delete cookies or switch browser. 

Nowadays, privacy issues arising from surfing the web are well known to the public and so are their countermeasures: cleaning your browser's cache, removing cookies, deleting history, installing ad-blockers and privacy aware extensions which reveal the trackers behind every page you visit. These are more or less the minimum of actions you can employ in feeling moderately safe.

Of course there's much more you can do, such as Tor-enabled browsing, using a VPN or embrace the extremes of SilentKeys' Privacy Aware Keyboard. Nevertheless, all these measures fall within the realm of the superuser and are beyond the expertise of the general public.

However there's a new technique that exploits other innocently leaked information by the browser in order to track your steps in cyberspace; a sophisticated approach which:

utilizes many novel OS and hardware level features, such as those from graphics cards, CPU, and installed scripts. We extract these features by asking browsers to perform tasks that rely on corresponding OS and hardware functionalities.

Because many of such OS and hardware level functions are exposed to JavaScript via browser APIs, we can extract features when asking the browser to perform certain tasks through these APIs.The extracted features can be used for both single- and cross-browser fingerprinting.

The team of researchers from Lehigh University, in Bethlehem, Pennsylvania set out to investigate the possibility of using OS and hardware level features to track users not only within a single browser but also across different browsers on the same machine.

The results are reported in (Cross-)Browser Fingerprinting via OS and Hardware Level Features presented this week at the 24th Annual Network and Distributed System Security Symposium NDSS 2017 which suggest further tracking techniques based on graphics and rendering which exploit the: 

  • Line, curve, and anti-aliasing 2D features which are supported by both Canvas (2D part) and WebGL.

  • Vertex shader, rendered by the GPU, which converts each vertex to its coordinate in a 2D clip-space.

  • Fragment shader, which processes fragments, such as triangles output by rasterization.

  • Transparency via Alpha Channel, a feature provided by the GPU and the driver, which allows the background to be intermingled with the foreground.

  • Image encoding and decoding in different formats, such as JPEG, PNG, and DataURL.

  • 3D Modeling, the computer graphics process of mathematically describing an object via three-dimensional surfaces.

  • Lighting and shadow mapping.

  • Camera, which maps 3D points in a space onto 2D points in an image.
  • Clipping Planes, which restrict the rendering operations within a defined region of interest.

The researchers acquire access to these metrics through Javascript APIs running on the user's browser by getting it to perform various rendering tasks, similar to 3D benchmarking software, such as drawing curves and lines, which also include obtaining OS and hardware level information, the likes of screen resolution and timezone information. The browser, in order to fulfill these tasks calls into the OS, and the results are then converted into hashes so that they can be conveniently sent to the server. The server then collects the hashes sent over by each individual browser and algorithmically combines them to generate a unique machine cross-browser signature, with a confidence rate of over 99%.   

In the fingerprinting benchmarks that were performed there's a newsworthy gem - IE and Edge were the browsers with the highest leak rate, as such greater fingerprinting capability, when subjected to the single browser fingerprinting tests.

The project is split into client and server parts, with the former involving approximately 14K lines of JavaScript, 1K lines of HTML, 2.4K lines of Coffeescript, while the latter has 3.7K lines of Python code encapsulated as an Apache server embedded module.
The source is open and available on GitHub.


Given that a demonstration is worth a thousand words, the authors have set up a website which you can visit and get your unique browser and machine emitted fingerprint. This opportunity was too good to miss and we subjected one of our own machines to it, by visiting the web page from both Firefox and Chrome.

 Fingerprint of Chrome   


Fingerprint of Firefox  


The verdict was truly scary; a flawlessly identical machine level signature.

It really does seem that your machine is the universal undeletable cookie that you cannot defeat.



More Information

(Cross-)Browser Fingerprinting via OS and Hardware Level Features-Resarch Paper

Source on GitHub

Uniquemachine-Online demonstration

Related Articles

SilentKeys A Privacy Aware Keyboard

New Facebook Computer Vision Tags

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



ScyllaDB 6 Adds Node Distribution Feature

ScyllaDB 6.0 has been released with two major features that change the way it works: a dynamic way to distribute data across nodes that significantly improves scalability; and support for strongly con [ ... ]

MySQL 9 Adds Support For JavaScript Stored Procedures

Oracle has announced that support for JavaScript functions and stored procedures has been added to the MySQL database server. The enhancements were added to MySQL 9, an 'innovation release', whic [ ... ]

More News

kotlin book



or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 01 March 2017 )