Spoofing canvas and webgl

MarkWilson

Regular Member
Joined
Mar 16, 2014
Messages
307
Reaction score
86
How did you end up verifying out of interest? My only check is just browsing a bunch of pages on their site, but I'd love to find something more reliable like the other testing tools we've talked about.
I also just rely on surfing different pages and clicking things fast.
It's not the most reliable method but with all other bot setups (I tried many) I always got blocked right after 1-5 page navigations.
So I think it is still a good reference.


How many threads do you need to run? Tier-1 geo 4G is by far the gold standard at the moment, I made a post about how we rotate through 4G IPs programmatically for small AOs here:

But ultimately if you need to run any reasonable number of threads (ie more than 5), just invest in a 4G gateway, it will pay for itself very quickly compared to renting proxies.
I will have a look at your thread asap, seems interesting.
When I bot on social networks, I usually need dozen threads not more.
Also the 4g gateway seems very very interesting. It surely performs better than my current rasp+dongle setup, maybe with that IP leak problem could be completely solved?

Why not just have each Identity logged in if it has that much of a performance boost?
Even then you may still get them but with 2captcha it costs like 0.00000001c to solve them on the run, so I wouldn't worry too much.
And what do you get as a score logged out on a clean user account on your main PC?
That's exatly what I thought this morning. Did very little testing, but it seems working.
Clean user on my main PC without cookies range between 0.3-0.7-0.9 depending on browser (firefox or chrome) and IP.
That means that fingerprinting is not everything, having a google account each session is mandatory.
 
Last edited:

Crazyfire

BANNED
Joined
Apr 16, 2020
Messages
187
Reaction score
308
Two interesting reads,

1. https://github.com/danielgatis/puppeteer-recaptcha-solver/blob/master/index.js

2. https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf

I managed to use both resources to successfully bypass recaptchas, my actors gets 0.7-0.9 scores and where recaptcha is required, because of good score, audio can be translated into text and captcha - resolved.

Haven't found a good solution for hCaptcha, yet. There is chrome extension called Privacy Pass that can be loaded in chrome if there is no need for headless, but its buggy and do not work always and still requires captcha to be solved every -n times.

I still have problems with Datadome, but they are so sensitive that even my main work PC gets targeted, so I'm ignoring them for now.
 

Sebastiann

Junior Member
Joined
Apr 27, 2020
Messages
183
Reaction score
225

Crazyfire

BANNED
Joined
Apr 16, 2020
Messages
187
Reaction score
308
Thanks, it's a good find, will check it deeper.

Do any of you have a good typing implementation? I'm thinking of something that pauses between words/sentences(coma split), writing errors and correction with backspace aaaaand something that sends shift key signal for uppercase letters. :)
 

Sebastiann

Junior Member
Joined
Apr 27, 2020
Messages
183
Reaction score
225
This is one I've been using for a while, no shift key though, but that's a good idea:

exPalv.jpg
 

Crazyfire

BANNED
Joined
Apr 16, 2020
Messages
187
Reaction score
308
It's beautiful.

tenor.gif


Will share back if i will manage to add shift key.
 

Sebastiann

Junior Member
Joined
Apr 27, 2020
Messages
183
Reaction score
225
It wouldn't be tricky at all to add the shift key, just check the Puppeteer docs to make sure it doesn't automatically do that already in the type() function etc
 

ImZanga

Newbie
Joined
Aug 18, 2020
Messages
1
Reaction score
2
Been reading alot on this thread and I'm very interested. I've been making bots similar to these for some time and I'll add some random thoughts I had while reading

imo using any real devices to scale is a waste because there are sooo many vectors to fingerprint a device. Even with phones with same hardware, there will still be some unique hashes. Off the top of my head, time offset is one
Also from my little experience, user's activity/consistency always trumps fingerprint data/ip quality(unless really bad), at least in the long run.
For example, I played around with the idea of making a sneaker bot and made a recaptcha farmer as an addon and on a single machine and a single ip, I was able to get 15 one clicks and 15 .9s in a row (couple hours of farming, then that data was gathered in succession, not spread out ). 15 isnt a beholdable number but with those requirements, it's definitely scalable. This was also a strategy used in the breaking recaptcha whitepaper. Also remember that alot of these big social media sites could be using 3rd party cookies for fingerprinting. I remember this was confirmed a little while back when Facebook got in trouble and had to release alot of their methods for fingerprinting. One of them was using an analytic service iirc. For example, you go to a recaptcha site after only farming google cookies and then google taps into their analytic database and sees that you have not once gone to a site with google analytics (52.9 percent of all the internet according to w3) and your score gets penalized. Or instagram sees that you only visit their site and never ever visited a site with their embed code. This is kind of an out there thought but I can't ignore it because it's been confirmed by Facebook.
Also the vektor t13 vm thing that was posted at the beginning of this thread is awesome. I've been using it for a while. It's kinda suss because its a russian tool to bypass fraud protections so i run it inside a vm though. It definietly has the most overhead out of all these solutions, but it really is a one and done solution. You could also run those Spotify bots that u talked about in the native spotify application. Not perfect though because its hard to scale with it.

I'm still looking for a multilogin like app that I can run selenium sessions each having their own rotating residential proxy that is free, or I can make and use it for free though

take all this with a grain of salt because im kinda ooga booga
 
Last edited:

mazzaleen

Newbie
Joined
Jan 1, 2021
Messages
7
Reaction score
0
I was finally able to bypass datadome!
distil network blocks me with my custom proxies, seems some TCP fingerprint is going on or it could be caused by the way I am handling webrtc leaks. with WiFi or hotspot everything goes smooth with distil too.

recaptcha now is the final boss it still block me sometimes, if not logged in Google I get fixed 0.3 score. if logged in, 0.9. would like to reach 0.7 without logging in
hey, sorry would you be able to elabirate how you bypassed datadome protection or if was a specific private proxy provider used to bypass their protection ? it would help me out a tone :)
 

MarkWilson

Regular Member
Joined
Mar 16, 2014
Messages
307
Reaction score
86
hey, sorry would you be able to elabirate how you bypassed datadome protection or if was a specific private proxy provider used to bypass their protection ? it would help me out a tone :)
PM sent
 

mazzaleen

Newbie
Joined
Jan 1, 2021
Messages
7
Reaction score
0
thanks for replying, see the thing u PMed me about, where do i input that, sorry a bit of a neewby question :)

Or like a little quick few step process if you could PM would be much appreciate. Thank You once again.
 

Salamouna

Jr. VIP
Jr. VIP
Joined
Aug 28, 2014
Messages
5,623
Reaction score
2,632
Website
www.blackhatworld.com
None of those other software can do what multilogin does.
All of them give 100% unique canvas finger prints witch is not good.
 

MarkWilson

Regular Member
Joined
Mar 16, 2014
Messages
307
Reaction score
86
thanks for replying, see the thing u PMed me about, where do i input that, sorry a bit of a neewby question :)

Or like a little quick few step process if you could PM would be much appreciate. Thank You once again.
It's a chromium flag, look up in Google you will find your answers! ;)

None of those other software can do what multilogin does.
All of them give 100% unique canvas finger prints witch is not good.
It's been a while since I tried multogin.
Is it giving a consistent and not unique canvas now? That's something I still want to do and was never able to accomplish.
Canvas emulation is still a big question
 

speedyallan77

BANNED
Joined
Apr 8, 2019
Messages
1,470
Reaction score
943
It's a chromium flag, look up in Google you will find your answers! ;)


It's been a while since I tried multogin.
Is it giving a consistent and not unique canvas now? That's something I still want to do and was never able to accomplish.
Canvas emulation is still a big question

hey man what do u think about these multi profile browsers. are they bad?
is there any issue with fingerprint resistance?
all I'm trying to do is use multi profile browsers so that I can create multiple google accounts and i dont want the accounts to be linked with me.
I'll run each browser instance with proxies.
on bhw there is a tool called hydra headers by the guy
@HydraProxy

it's multi profile browser.
i just want to manage the google accounts without fingerprint leaks.
im not trying to do some spamming related stuff which social media accounts ban when they probably see fingerprint resistance.
i just want to manage multiple accounts without linking them to me. that's it.

what is the issue with fingerprint resistance.
will there be in issue in my use case?
i will only be managing accounts
 

MarkWilson

Regular Member
Joined
Mar 16, 2014
Messages
307
Reaction score
86
hey man what do u think about these multi profile browsers. are they bad?
is there any issue with fingerprint resistance?
all I'm trying to do is use multi profile browsers so that I can create multiple google accounts and i dont want the accounts to be linked with me.
I'll run each browser instance with proxies.
on bhw there is a tool called hydra headers by the guy
@HydraProxy

it's multi profile browser.
i just want to manage the google accounts without fingerprint leaks.
im not trying to do some spamming related stuff which social media accounts ban when they probably see fingerprint resistance.
i just want to manage multiple accounts without linking them to me. that's it.

what is the issue with fingerprint resistance.
will there be in issue in my use case?
i will only be managing accounts

You need a REALLY strong setup to bot Google. I am at the point where I'm not even sure if botting Google is doable or not. Having good proxies etc will not be enough. not even close! Any good proxy still leaks with WebRTC, disable it and you will have problems too. I guess you can't even think about using proxies, you need to figure out a way to rotate IP without any proxy (example: 4g dongle directly connected to pc, or some VPN shit which I didn't look into yet). Not to mention you need to completely wipe the existence of any webdriver in any way possible.
Not sure about the tool you've posted, I don't know it so I cannot give any info about it.
But again, botting Google seems 100x more difficult than botting any other site. So be careful or you will loose all your accounts.

It seems to me that Google is UNIQUELY IDENTIFYING any user, no matter what.
 

MarkWilson

Regular Member
Joined
Mar 16, 2014
Messages
307
Reaction score
86
I managed to spoof basic things (plugins, fonts, navigator properties, window properties) and I am having a good recaptcha score sometimes which means I am not fully detected by Google.

Just to let you know guys, this was total nonsense.
Having a good recaptcha score seems not related to the fact that Google isn't detecting me.
Because even with 0.7-0.9 score, it did detect me indeed. So that score is a good starting point, but don't rely too much on it. Google has many more ways to uniquely identify and stuff
 

M4DM4X

Elite Member
Joined
Jan 21, 2015
Messages
1,758
Reaction score
884
None of those other software can do what multilogin does.
All of them give 100% unique canvas finger prints witch is not good.

It depends for which use.

You need a REALLY strong setup to bot Google. I am at the point where I'm not even sure if botting Google is doable or not. Having good proxies etc will not be enough. not even close! Any good proxy still leaks with WebRTC, disable it and you will have problems too. I guess you can't even think about using proxies, you need to figure out a way to rotate IP without any proxy (example: 4g dongle directly connected to pc, or some VPN shit which I didn't look into yet). Not to mention you need to completely wipe the existence of any webdriver in any way possible.
Not sure about the tool you've posted, I don't know it so I cannot give any info about it.
But again, botting Google seems 100x more difficult than botting any other site. So be careful or you will loose all your accounts.

It seems to me that Google is UNIQUELY IDENTIFYING any user, no matter what.

Creating adwords treashold accounts is still possible so it means it's possible to game google. But yes it doesnt work all the time, too many parameters are involved with google they check everything, even what you usually eat for breakfast...
 

speedyallan77

BANNED
Joined
Apr 8, 2019
Messages
1,470
Reaction score
943
You need a REALLY strong setup to bot Google. I am at the point where I'm not even sure if botting Google is doable or not. Having good proxies etc will not be enough. not even close! Any good proxy still leaks with WebRTC, disable it and you will have problems too. I guess you can't even think about using proxies, you need to figure out a way to rotate IP without any proxy (example: 4g dongle directly connected to pc, or some VPN shit which I didn't look into yet). Not to mention you need to completely wipe the existence of any webdriver in any way possible.
Not sure about the tool you've posted, I don't know it so I cannot give any info about it.
But again, botting Google seems 100x more difficult than botting any other site. So be careful or you will loose all your accounts.

It seems to me that Google is UNIQUELY IDENTIFYING any user, no matter what.
multi login is already bypassing this then how?
they are multi profile browser too.

botting google is not that hard especially for views.
i already have my own solution for this.
each viewer watches video from isolated browser environment with no fingerprint leaks.
like vm with unique fingerprints.

u add random Human activity with aged Google accounts.
that way even normal quality proxies work.

the reason why most botting method fails is coz the method sucks. not coz of proxies.

if proxies are the problem then my normal account Should be banned when i access from vpn.
but i dont get banned coz there is human activity.

my team already has bot that bypasses Google for views.

but that bot is only for views im looking for a good solution for multi account management besides vps or vms.


what do u think about vms?
will there still be some leak?
something that i need to look into?
 
Top