1

I would like to know if a website is fingerprinting me via WebGL,

  1. first of all, knowing if the site is doing it
  2. Knowing when they send the request to my browser
  3. Knowing what value I am reporting to the site

Important thing to notice, in sites like https://webglreport.com/?v=2

How can I know where do I get the fingerprint request?

I think I have an idea of what the injected JS to my browser could be I think

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
The Dan
  • 111
  • 3

1 Answers1

1

WebGL fingerprinting is done by rendering an image to a canvas, then extracting that image, f.e. with HTMLCanvasElement.toDataURL(), or via the WEBGL_debug_renderer_info extension.

For this specific website, the fingerprinting is done in the script loaded from that URL: https://webglreport.com/webglreport.js - it's not obsfuscated so it should be reelatively easy to understand what they are doing.

Auditing the website scripts is a possibility, but you can also programmatically detect the use of the mentionned methods, which should be way faster, considering the amount of JavaScript used nowadays.

Note that some browsers already have anti-fingerprinting measures.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
  • The anti-fingerprinting measures browsers have only help with the very limited canvas fingerprinting technique. WebGL fingerprinting as a whole simply _cannot_ be mitigated without disabling WebGL or restricting it to an extreme subset of its functionality. Think of it like AudioContext fingerprinting, except more reliable. It can create a unique fingerprint for an individual GPU. – forest Jul 04 '21 at 03:06
  • I think the ideal here is to spoof it, but it has been to hard to find related information, if you have any idea could be amazing – The Dan Jul 05 '21 at 20:09
  • There are different ways of spoofing. The only one I have made work consists in adding some noise to the rendered image, but I'm looking forward for a more advanced technique – The Dan Jul 05 '21 at 20:11