Site that fingerprints users, how do they do it?

Discussion in 'Scripting' started by magdalene, Apr 11, 2016.

  1. magdalene

    magdalene MDL Novice

    Sep 15, 2012
    34
    11
    0
    I'm a member of an extremely large forum since many years. People come there to discuss anything from IT problems to relationships, politics or gardening. A large proportion of the population in my country has an account. In a country with somewhat restrictive media situation and stifled public debate this forum fills a very important function.
    The backside is they also have a lot of intimate personal data on people.
    The site swears that everyone is anonymous, they'd never share data with anyone.

    Recently I become aware that this site can somehow fingerprint and uniquely identify users and I'm interested in finding out how they do it.
    I have excluded the following possibilities;
    -IP address
    -Cookies, including DOM cookies and Flash cookies.

    That leaves in my opinion only some form of scan to check unique features of the machine - but how is that done?
    Am I right to think it's a Javascript? Or are there other options?
    How can I look at this javascript? Or is anyone willing to have a try and simply tell me? I can provide address and a login details if that would help.
     
  2. kaljukass

    kaljukass MDL Addicted

    Nov 26, 2012
    975
    327
    30
    1. The site swears that everyone is anonymous, they'd never share data with anyone.
    They may swear or do what they want - they may not share, but who wants, can see everything, even if the data is encrypted. Recommended to remember this for ever.
    2. javascript is only one method to write some commands for run programs, and it could not be to blame in any way whatsoever, or where ever.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Javascript is crap, user can disable this.
    see:http://browserspy.dk

    PHP Script on Server is the right way. ;)
     
  4. RainoT

    RainoT MDL Novice

    Apr 7, 2016
    1
    0
    0
    There is a Firefox plugin You can use to fake fingerprinting
    - Random Agent Spoofer

    it changes all the data been used to create fingerprints each time You start the Browser
    works fine, I use for years now
     
  5. magdalene

    magdalene MDL Novice

    Sep 15, 2012
    34
    11
    0
    Great tip, I've installed it.
    But I'm beginning to wonder if it's even possible to have privacy on Micro$oft at all!

    Somebody elsewhere commented:

     
  6. jimmy17

    jimmy17 MDL Novice

    Mar 20, 2016
    3
    0
    0
    In the cmd window Type wmic product get Wait a while
    There you will see your PC Global Unique Identifiers GUID
     
  7. open cmd (as admin):
    Reading properties of the network card:

    wmic nicconfig where index=1 get /value

    wmic nic get index,name

    Show BIOS Info:

    wmic bios list full

    or

    Copy BIOS Info to clipboard:

    wmic /output:clipboard bios list full

    ;)
     
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,368
    11,243
    340
    Static HTTP requests and AJAX I guess...to collect info best until it is recognized as a unique machine.

    The more common the info is the more anonymous you are. Common not random!

    HTTP_ACCEPT_HEADER/Useragent/timezone/screenresolution/fonts/browserplugins...

    We here at MDL do not care about that, though. We respect privacy. We log IP address only...


    Try here and you'll know: (they read not all what's possible) :) If you get as result you're unique, you have to fake/make general more IDs...

    https://panopticlick.eff.org/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    952
    912
    30
    Fingerprint detection pages (also ssl and other browser based tests):

    https://panopticlick.eff.org/
    http://www.filldisk.com/
    https://www.ssllabs.com/ssltest/viewMyClient.html
    http://samy.pl/evercookie/
    https://www.mozilla.org/en-US/plugincheck/
    https://people.mozilla.org/~tvyas/mixedcontent.html
    https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm
    http://mozilla.github.io/webrtc-landing/
    https://www.adobe.com/software/flash/about/
    https://www.java.com/en/download/installed.jsp
    http://ip-check.info/?lang=en
    http://cure53.de/leak/onion.php
    http://thehackerblog.com/addon_scanner/
    http://www.computec.ch/projekte/browserrecon/
    https://robnyman.github.io/battery/
    https://pstadler.sh/battery.js/
    https://rc4.io/
    https://www.google.com/transparencyreport/https/ct/
    http://html5test.com/
    https://crt.sh/




    & others.


    The thing is
    a) WebRTC was designed to be new and it offers a lot of security features compared to other protocols, BUT since it's new it may suffers from several implementation problems pr logical failures which not need to be fixed within browser more like in protocol (if possible) to not abuse these in name of evil.
    b) Hiding everything breaks the protocol mostly or lowers the surf fun (I tried that)
    c) Thinking to be secure just because you use NoScript, HTTPSE. or uMatrix is false sense of security because there exist attacks which bypass this, e.g. if you locally execute stuff which then want's to connect to web, a firewall may does help here more.
    d) To bypass all of this just use a faked certificate, then mostly they bypass it and you need again other tools or firewall settings to filter https. If you use other tools like AdGuard you must trust then their certificates.
    e) There is no real opt-out, because each application on your system or extension may have it's own GUID or other identification which is detectable, again a firewall may help to just stop the communication, even MS own firewall is mostly in 90% enough.
     
  10. 90

    90 MDL Member

    Aug 21, 2015
    105
    10
    10
    You can get a Firefox add on Canvas Blocker. It spoof fake fingerprint each time.
     
  11. (for a better understanding in your 'favo' language)
    Yen, diese Admins machen alle immer wieder die gleichen Fehler.
    Wenn im User Browser Javascript deaktiviert ist, alles nutzlos.
    Wie du hier mal wieder sehen kannst ... (ohne js im Browser) startet das JavaScript gar nicht, wie soll es auch ....
    [​IMG]
     
  12. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    952
    912
    30
    It's not correct that if you disable JavaScript you're be automatically more secure, together with the fact that if you disable it you lower the surf fun dramatically, this is also the reason why it's not default disabled by Tor Browser Bundle (it gets disabled if you slide the tor button to max settings).

    There are also other techniques, as already mentioned Canvas (HTML5), cookies, supercookies and a lot of more which could theoretically compromise you. It's also a no-go to disable everything since that (again) simply breaks everything, even MDL need e.g. Google Ajax script for e.g. the thanks/like button, it's due implementation.


    You should also not forget that just because it's might somehow possible to track, that not means automatically you will be tracked, it's up to the webmaster and how often the page get's updated, if it's compromised with malware advertisements and many more factors.


    I'm not really a test of these mentioned test-pages because they need most stuff enabled and this (if you work with a whitelist) like NoScript e.g. offers not really shows that you're vulnerable, in fact you allow e.g. Panopticlick to trakc you because you visit the page + enabled javascript + then clicked the button which clearly showed that you get scanned - of course that is just an example what someone may can implement in his HP but again working with a whitelist + keep up2date is mostly enough, just do the fact Mozilla and others fighting for more privacy, we also got an integrated list (e.g. Mozilla use disconnect + google safe browsing list) to block already well known and reported pages by default.

    If you're a Mozilla fan and care about privacy you may want to visit a small project I contribute to - the user.js project. I explained in most issue tickets how it works, which attack surface exist and you can of course use the file to harden the settings.
     
  13. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,368
    11,243
    340
    CHEF is right.
    You need functions like AJAX to have all the comforts of the site. For instance perview of member list (recipient PM/search)....

    NoScript makes only sense when defining whitelists of trusted sites...

    Also fingerprinting a device does not mean fingerprinting a person.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. AJAX yes / JS no
    sorry, but disagree - pure PHP is the right way!
     
  15. #16 Satoshi Nakamoto, Apr 14, 2016
    Last edited by a moderator: Apr 14, 2016
    Yen last word to it ...
    Yen, das wirkliche Problem (Unsicherheit) besteht dann wenn ich mich in eine Website/Forum einloggen kann ohne Javascript und du aber dieses hier im Forum nutzt, denk mal darüber nach ... Das ist hier ('bei dir') der Fall. Ich will das nicht weiter ausführen ... Ich denke du hast verstanden was ich meine.


    Eng:

    Yen, the real problem (uncertainty) exists when I can login into a website/forum without JavaScript, but you are using it at the forums...think about it, it is a fact here I don't want to elaborate on this further ....I guess you know what I mean
     
  16. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,368
    11,243
    340
    English, please. :biggrin:
    (I am adding a translation to your post)...

    No, sorry. Neither AJAX nor JS nor php are 'bad/good'...it are just 'languages'...
    It is ALWAYS a question of trust.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Thy, & yes of course. ;)

    In Yen we trust!
     
  18. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    751
    638
    30
    #19 TairikuOkami, Apr 14, 2016
    Last edited: Apr 14, 2016
  19. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    952
    912
    30
    You not need any WebRTC addon anymore, that hole is now closed. As mentioned because it could be used not means every page automatically compromise you and your security setup. Firefox solved it - you can disable entirely WebRTC and with FF 46 it also get's an option just for more control over certain stuff. If you're on Chrome you can compile without Webrrtc flag, or better consider to use Chromium + nosync version because that not comes with WebRTC.

    You're wrong if you say php is an answer, we not talking only about site specific fingerprinting, we also need to talk about metadata and this is protocol wise fingerprinting. Like IP, geo location (huge topic now in germany), and in general OSI layer based fingerprints.

    E.g. if you use a tagged photo you can be possible geo located, or if you use HTMl5 storage [dom storage] and to entirely disable everything breaks a lot of stuff, e.g. if you disable DOM Storage Mega and his plugin will not work (because key is in this section stored). So, again there is no real solution without breaking stuff. Since I not use any plugins anymore I dropped NoScript and replaced it with uMatrix because the benefits from NoScript are more to protect plugins and is more comfortable, this then gives you white-/blacklist ability, but as mentioned even if you work with whitelist it not protects you agains all types of fingerprints.

    Tor is maybe an 'solution' a lot of people saying it's insecure which is imho wrong, it's the only option I see for now, because it uses the same ID for each session and user, which means that the fingerprint you leave is useless for the page because everyone gets the same. The problem is that if you try to tweak your Browser like this and change certain configuration you make you more unique and this may more attractive to tracking companies - this is why I always prefer Tor. I not say it's perfect there are protocol based issue and fingerprinting too, but it's far more designed to protect you, especially for beginners it's a lot of easier as working with uMatrix/NoScript if you visit a lot of different pages and not exactly know which you can trust.


    You should also not forget that if you leave small footprints in the sand it not cares much as driving with a car trough the sand - with this analogy I want so say that you should not get in panic if xyz page may detects something. There is a huge different between get a result or get a result and you know which one behind did it. An example is that e.g. some pages detect font's, in general they come pre-installed with every OS. So you not need to worry much about, just because it tells you that there is may be an exploit (which was closed btw in several OS and Office versions). It's a difference to bring all the peaces together you reveal your identity. From what I know both Firefox and Chrome constantly try to improve there security without breaking much, but we are hitting the possibility, again it needs to be fixed in the protocols, not php, not java, if the protocols are secure on OSI layer, then it doesn't matter what OS/Browser you use since the page would only see encrypted garbage - but this is not very easy possible, metadata are one huge problem because if you would truly 'invisible' then how you ban trolls/terrorist from internet/pages? That's the main problem, I not found any solution yet and possible there will be no ....

    So this topic is huge and difficult, there exist no protocol, plugin or addon to hide you or your fingerprints. There are suggestions/recommendations on my linked pages to lower the attack surface but there exist still some problems.