Re: Detecting browser fingerprinting

Hi Bjoern,

Just for clarity, we logged the following events by modifying the WebKit 
code base of Chromium and PhantomJS.

  * font load attempts by intercepting calls to/CSSFontFace::getFontData
    /and/CSSFontSelector::getFontData /methods/
  * access to the following navigator properties and methods:/userAgent,
    appCodeName, product, productSub, vendor, vendorSub, onLine,
    appVersion, language, plugins, mimeTypes, cookieEnabled(),
  * access to/navigator.plugins: name, filename, description, length/
  * access to /navigator.mimeTypes: enabledPlugin, description,
    suffixes, type/
  * /window.screen /properties/: horizontalDPI,verticalDPI, height,
    width, colorDepth, pixelDepth, availLeft, availTop, availHeight,
  * access to/offsetWidth /and /offsetHeight /properties
    and/getBoundingRect /method of HTML elements/./

For the Flash files, we grepped for the ActionScript calls that are 
listed in the paper (Appendix B) 
<> after 
That includes, for example, /enumerateFonts, getFontList,/ /XMLSocket, 
getLocal/ and so on.

Also please note that our tool requires some manual analysis to get rid 
of false positives and (safely) determining a script/SWF is 
fingerprinting or not. That includes e.g., checking the WHOIS records, 
company websites and reviewing fingerprinting code (if it's not obfuscated).

But this is for discovering new "fingerprinters"; for the ones we listed 
on the last page of the paper, one just need to grep on the HTTP request 
URLs - like Ghostery, AdBlock or similar tools do.

Best regards,
Gunes Acar

PhD Student
University ofLeuven
Dept. Electrical Engineering-ESAT / COSIC
Kasteelpark Arenberg 10, B-3001 Leuven, Belgium
Office: 01.17
tel: +32 16 32 11 29 fax: +32 16 32 19 69
email: gunes.acar (at)
web page: 

On 10/14/2013 12:08 PM, Bjoern Hoehrmann wrote:
> * Christine Runnegar wrote:
>> To detect websites using device fingerprinting technologies, the
>> researchers developed a tool called FPDetective. The tool crawls and
>> analyses websites for suspicious scripts. This tool will be freely
>> available at for other
>> researchers to use and build upon.
> I take it they customised open source web browsers so they report when
> web sites attempt to probe which fonts are installed on a client system
> and perhaps a few other properties and they are "in the process of
> preparing the FPDetective framework for public release." That's funny,
> some years ago I did something quite similar (though more ambitiously I
> wanted to simply trace all function calls and property accesses, it is
> actually quite odd that typical frameworks do not already ship with the
> capability) but I also did not develop into something I could bring my-
> self to release to the general public... It will be interesting to see
> how much of a hack their code is, or if it can easily be adapted to
> solve the more general problem of tracing everything (in which case new
> forms of malicious behavior could easily be identified through `grep`
> and Excel).

Received on Monday, 14 October 2013 11:01:20 UTC