- Joined
- Apr 8, 2016
- Messages
- 228
- Reaction score
- 165
If you've run multiple accounts, you probably use some browser extensions to change your proxy and useragent, thinking that you've somehow blended in like a stealthy Assassin's Creed character.
What's funny is that up to a certain point it works. Managing a small amount of whitehat accounts is probably fine, I've done it, but at any point if a sites terms change, and if this is all your doing to try to anonymize your accounts, don't be surprised if they all get wiped out.
One day I had the bright idea of making my own browser, One browser to rule them all,
One browser to hide them, One browser to bring them all, and in the darkness bind them...
but there were so many ways that you could be tracked and the rabbit hole goes deep...
so I'll leave this for any of you curious.
The following methods are javascript code that can be called from any site you visit to get your info.
USER AGENT
A user agent doesn't usually look like this: Mozilla Firefox 10.104
It looks something like this: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.2.4.20 Safari/537.36
Those browser extensions usually use simplistic useragents or outdated ones. There are some libraries on npm that offer tons of useragents, here's a hint:
Take this code
on your client side, and put it on one of your busiest websites, then you can store each useragent string in a database, and now you have your own database full of real useragents. Now do this with every other
variable or method tracking, and you'll have a full database of real browser variables.
Plugins
This is not only the plugins you have installed which might say
"User Agent Spoofer" DEAD GIVEAWAY
but also the order of plugins, which might be
1: Adode Pdf
2: Agent Spoofer
3: Proxy Changer v3.1
4: Kindle Reader
Who has all of those plugins with those versions, exactly in that order? Probably only you!
Device Memory
Your device memory in GB.
Cores / Threads
How many cores you have.
Audio Types
What kind of audio can you play on your device?
Video Types
What kind of video can you play? So far we know your ram, cores, audio, video,
damn near sounds like we're finding out about your computer and narrowed you down.
Platform
This gets your browsers platform (win32) or what it was compiled for.
AppCodeName
This will say something like "Mozilla", some browser detection uses this along with useragent, if they don't match then that's a red flag. It also might be null, you can't just make it up to match a useragent, this is why real users need to be collected.
AppName
This will say something like "internet Explorer" or "Netscape". Again, I believe this can also be null depending on which browser your trying to mimic.
AppVersion
This is the version of your browser which almost looks like a useragent. If they don't match it's extremely obvious your trying to hide your identity.
Cookies
Did you disable cookies? Why did you disable them? Better you should have a list of cookies from all major sites and then some to look like a real user.
DoNotTrack
Many users aren't savvy enough to know what this, better to not have this set to try to blend in as a real user.
Available Height
What's your devices available height?
Available Width
What's your devices available width? Just the height and width of your device can help narrow down who you are.
Color Depth, Pixel Depth
Some more information about your device.
Canvas
An invisible element can be created on the browser in which something is rendered on the canvas, your particular device, font types, and browser will render it in one specific way only. From this a "hash" is returned and now we know you who you are.
This is the one I had trouble changing. Applause to you better programmers who've managed to bypass this somehow.
WebGL
Basically info about your browsers rendering engine. Again, should be collected in the wild so a real database can be used, this stuff can't simply be made up.
There's tons of more parameters especially in shaders and how your device renders things.
Moral of the story: Use a solution like Multilogin or something else which changes all of those parameters, if you really want to be hidden as best as possible.
m
What's funny is that up to a certain point it works. Managing a small amount of whitehat accounts is probably fine, I've done it, but at any point if a sites terms change, and if this is all your doing to try to anonymize your accounts, don't be surprised if they all get wiped out.
I've made a list of some of the ways that just your browser alone can be tracked, giving you a huge fingerprint. Some of you who are running accounts probably already use solutions like MultiLogin, but I thought I'd share with you what I've found.One day I had the bright idea of making my own browser, One browser to rule them all,
One browser to hide them, One browser to bring them all, and in the darkness bind them...
but there were so many ways that you could be tracked and the rabbit hole goes deep...
so I'll leave this for any of you curious.
The following methods are javascript code that can be called from any site you visit to get your info.
USER AGENT
A user agent doesn't usually look like this: Mozilla Firefox 10.104
It looks something like this: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.2.4.20 Safari/537.36
Those browser extensions usually use simplistic useragents or outdated ones. There are some libraries on npm that offer tons of useragents, here's a hint:
Take this code
Code:
navigator.userAgentvariable or method tracking, and you'll have a full database of real browser variables.
Plugins
Code:
window.navigator.plugins"User Agent Spoofer" DEAD GIVEAWAY
but also the order of plugins, which might be
1: Adode Pdf
2: Agent Spoofer
3: Proxy Changer v3.1
4: Kindle Reader
Who has all of those plugins with those versions, exactly in that order? Probably only you!
Device Memory
Code:
navigator.deviceMemoryCores / Threads
Code:
navigator.hardwareConcurrencyHow many cores you have.
Audio Types
Code:
audio.canPlayType("types")What kind of audio can you play on your device?
Video Types
Code:
video.canPlayType("types")damn near sounds like we're finding out about your computer and narrowed you down.
Platform
Code:
navigator.platformAppCodeName
Code:
navigator.appCodeNameAppName
Code:
navigator.appNameAppVersion
Code:
navigator.appVersionCookies
Code:
navigator.cookieEnabledDoNotTrack
Code:
navigator.doNotTrackAvailable Height
Code:
navigator.availHeightAvailable Width
Code:
navigator.availWidthColor Depth, Pixel Depth
Code:
screen.colorDepth
Code:
screen.pixelDepthSome more information about your device.
Canvas
An invisible element can be created on the browser in which something is rendered on the canvas, your particular device, font types, and browser will render it in one specific way only. From this a "hash" is returned and now we know you who you are.
This is the one I had trouble changing. Applause to you better programmers who've managed to bypass this somehow.
WebGL
Basically info about your browsers rendering engine. Again, should be collected in the wild so a real database can be used, this stuff can't simply be made up.
There's tons of more parameters especially in shaders and how your device renders things.
Moral of the story: Use a solution like Multilogin or something else which changes all of those parameters, if you really want to be hidden as best as possible.
m
