How your Browser is Tracked

lotus13

Jr. VIP
Jr. VIP
Joined
Apr 8, 2016
Messages
229
Reaction score
168
If you've run multiple accounts, you probably use some browser extensions to change your proxy and useragent, thinking that you've somehow blended in like a stealthy Assassin's Creed character.

What's funny is that up to a certain point it works. Managing a small amount of whitehat accounts is probably fine, I've done it, but at any point if a sites terms change, and if this is all your doing to try to anonymize your accounts, don't be surprised if they all get wiped out.


giphy.gif


I've made a list of some of the ways that just your browser alone can be tracked, giving you a huge fingerprint. Some of you who are running accounts probably already use solutions like MultiLogin, but I thought I'd share with you what I've found.

One day I had the bright idea of making my own browser, One browser to rule them all,
One browser to hide them, One browser to bring them all, and in the darkness bind them...

but there were so many ways that you could be tracked and the rabbit hole goes deep...
so I'll leave this for any of you curious.

The following methods are javascript code that can be called from any site you visit to get your info.


USER AGENT

A user agent doesn't usually look like this: Mozilla Firefox 10.104

It looks something like this: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.2.4.20 Safari/537.36

Those browser extensions usually use simplistic useragents or outdated ones. There are some libraries on npm that offer tons of useragents, here's a hint:

Take this code
Code:
navigator.userAgent
on your client side, and put it on one of your busiest websites, then you can store each useragent string in a database, and now you have your own database full of real useragents. Now do this with every other
variable or method tracking, and you'll have a full database of real browser variables.


Plugins

Code:
window.navigator.plugins
This is not only the plugins you have installed which might say
"User Agent Spoofer" DEAD GIVEAWAY
but also the order of plugins, which might be
1: Adode Pdf
2: Agent Spoofer
3: Proxy Changer v3.1
4: Kindle Reader
Who has all of those plugins with those versions, exactly in that order? Probably only you!


Device Memory


Code:
navigator.deviceMemory
Your device memory in GB.


Cores / Threads

Code:
navigator.hardwareConcurrency

How many cores you have.



Audio Types

Code:
audio.canPlayType("types")

What kind of audio can you play on your device?


Video Types

Code:
video.canPlayType("types")
What kind of video can you play? So far we know your ram, cores, audio, video,
damn near sounds like we're finding out about your computer and narrowed you down.


Platform

Code:
navigator.platform
This gets your browsers platform (win32) or what it was compiled for.


AppCodeName

Code:
navigator.appCodeName
This will say something like "Mozilla", some browser detection uses this along with useragent, if they don't match then that's a red flag. It also might be null, you can't just make it up to match a useragent, this is why real users need to be collected.


AppName

Code:
navigator.appName
This will say something like "internet Explorer" or "Netscape". Again, I believe this can also be null depending on which browser your trying to mimic.


AppVersion

Code:
navigator.appVersion
This is the version of your browser which almost looks like a useragent. If they don't match it's extremely obvious your trying to hide your identity.


Cookies

Code:
navigator.cookieEnabled
Did you disable cookies? Why did you disable them? Better you should have a list of cookies from all major sites and then some to look like a real user.


DoNotTrack

Code:
navigator.doNotTrack
Many users aren't savvy enough to know what this, better to not have this set to try to blend in as a real user.


Available Height

Code:
navigator.availHeight
What's your devices available height?


Available Width

Code:
navigator.availWidth
What's your devices available width? Just the height and width of your device can help narrow down who you are.


Color Depth, Pixel Depth
Code:
screen.colorDepth
Code:
screen.pixelDepth

Some more information about your device.


Canvas

An invisible element can be created on the browser in which something is rendered on the canvas, your particular device, font types, and browser will render it in one specific way only. From this a "hash" is returned and now we know you who you are.

This is the one I had trouble changing. Applause to you better programmers who've managed to bypass this somehow.


WebGL

Basically info about your browsers rendering engine. Again, should be collected in the wild so a real database can be used, this stuff can't simply be made up.


There's tons of more parameters especially in shaders and how your device renders things.


Moral of the story: Use a solution like Multilogin or something else which changes all of those parameters, if you really want to be hidden as best as possible.





m

 

phatzilla

Supreme Member
Joined
Apr 9, 2009
Messages
1,428
Reaction score
1,084
My question would be : what's the easiest way to tell how many of these things a site is actually checking?
 

lotus13

Jr. VIP
Jr. VIP
Joined
Apr 8, 2016
Messages
229
Reaction score
168
It depends on how you can overwrite the function but you can preload a script modifying the function , for example for language
Code:
Object.defineProperty(navigator, 'language', {
get: function() {
console.log('The site checked our Language');
return 'en-us';
}

Now when a site calls navigator.language it should print out that the function was accessed along with returning the value that you want
 

thebotmaker

Jr. VIP
Jr. VIP
Joined
Oct 11, 2018
Messages
696
Reaction score
706
Website
www.blackhatworld.com
1. Thanks for this post @lotus13 . I wanted to ask how safe is it to inject javascript into the browser, because is it not detectable?
2. Lets say I wanted to use the above method to modify Firefox portable by running a script in my browser before loading the page to reduce the footprint. Would that be a good idea?
 

lotus13

Jr. VIP
Jr. VIP
Joined
Apr 8, 2016
Messages
229
Reaction score
168
1. Thanks for this post @lotus13 . I wanted to ask how safe is it to inject javascript into the browser, because is it not detectable?
2. Lets say I wanted to use the above method to modify Firefox portable by running a script in my browser before loading the page to reduce the footprint. Would that be a good idea?

1. Honestly I'm not sure, I know you can detect if a function has been changed so they might check for that but I doubt it

2. Yeah, that's how the extensions work, just make sure the script waits until the dom is loaded but before the whole page is loaded so you can change anything you want
 
Top