Your Browser is Snitching: Tracking Without Cookies

Hi everyone, thanks for coming. Uh, my name's Alan and today I want to talk about fingerprinting. So, a bit about me to start off with. I'm a pentester with CyberCX, one of the gold sponsors of today's event. I've been with them for just over two years now. Before that, I've been sort of doing some for software engineering stuff like that. So, I've got programming languages like Python, PHP, JavaScript, all that lovely stuff. And if you want to check out some of the stuff I've been messing with, my GitHub is up there as well. I've been meaning to upload the stuff I'm going to be showing you today, but I haven't just done that quite yet, but hopefully

sometime soon. So, I want to just sort of dive into fingerprinting in general. I just want to first focus on a bit of background. um why we're seeing it and why we should be concerned about it and then sort of what fingerprinting is and how it's actually being conducted and then I want to look at it from both the users perspective of how we browse the internet how often do we come across it what do we see and then the website's perspective of if I have a website why am I using fingerprinting and what can I actually see about people when I fingerprint them and then we'll be able to dig into some of the evasion how easy

is it to actually avoid fingerprinting and stuff like that. Then hopefully after that it should be done. So there is there's a bit of a background sort of how fingerprinting came on my razor at the very least. So when I was sort of doing some pen testing I had a message from my senior consultant and he said Adam having some trouble with this web app firewall keeps on kicking me off. Could you just sanity check some things for me? So what I did there was we hopped on together and we kept on having a look at it and how it was actually messing with our data and what it was checking for. We tried changing IP addresses and it was still

kicking us off. We made sure we're clearing cache um coming from the same browser but no it was still kicking us off. It wasn't having any of it. And after a while we decided we'll call it there and we'll switch operating systems and we'll try it from there. And we're quite surprised to see that after that it was actually letting us through just fine. And this is because we assumed at the time that because it was actually fingerprinting us and it wasn't storing anything, but it was able to read our browser if you unique identifiers that it had us pinned down as a bot and it wouldn't let us know past that. I think privacy um as a general rule is really

important. So in 2014 um there was a big Cambridge analyst scandal that I'm sure many of you have heard of but just to remind you um so Facebook you can do quizzes on Facebook and when you do them you can sometimes scrape the user who does its personal information. So Cambridge Analytica got the personal information of a bunch of people who did a quiz was about 250,000 users. But what this quiz also did was It's great for personal data of all your friends as well. So we've gone from 250,000 to 50 million users. And Cambridge Analysis at the time is was a consulting firm and they were involved like the 2016 US election, the Brexit referendum and things like

that. And this data was used to help sort of target advertising political campaigns uh because they've got such good understanding of how people act, how people vote and what actions might be needed to sway people to voting in a certain way. And just looking at cookies in general because we are going to sort of see some uh we got first party cookies. These are sort of fair game as far as anyone's concerned. This is um how a browser would just recognize you. So as soon as you log in you get a first party cookie and that just remembers it's you. And then we've got third party cookies and this is what everyone's up in arms about

and people are generally kicking off with. And when you hit the reject all button that's what these generally get rid of. So when you visit a website and there's a third party on there as well, it can give you a cookie. And then if you go and visit another website and it has the same third party, it can see the cookies and notice that you're the same person. And from that it can try and build up habits of how you're browsing and what you're doing and it can use this to target advertising to you as well. So fingerprinting in general has been on people's radar. So this is the director of Chrome engineering in 2019 and he said unlike

cookies users cannot clear their fingerprints and therefore cannot control how their information is collected. We think this subverts user choice and is wrong. And I'm fully on board with that and the information commissioner's office actually came out in early 2025 and said the same thing. Fingerprinting is wrong and um it doesn't give users a choice. locks out. Ah, okay. So, as of 2025, Google permits advertisers to fingerprint browsers class. So, this is a bit of a step back. It's probably something to do with the war on cookies going on and the fact that Google still needs to provide tracking sort of metrics to people. So, one way they're doing it is through fingerprinting. Now, Firefox has fully shut down third party

cookies and they have for a while. They stopped that in 2019. Chrome said they would, but I mean you can see they've got a pretty good track record of going back on their word. So after a while they did just sort of say, "Yeah, you know what? Third party cookies are fine with them still." And one study showed, we'll be touching on this a little bit more as well. But one study showed that 30% of the top 10,000 websites are rocking some forms of fingerprint. So if we're actually looking to deploy fingerprinting and sort of how it's happening on the browser, these are some of the things that we should be looking for. So when you're on the website, you are

running a bunch of JavaScript that they send you. And there are some common things that a lot of scripts will just check. And these are things like your user agent, your language, and your fonts as well. And if we're looking to try and identify fingerp printers and sort of catch on to what they're getting up to, we could try and find some flags properties as well. And these are sort of things like the magnetometer and MIDI that aren't generally used on websites because I'm not sure how many of you browse websites which need your magnetometer or MIDI. And then we've got canvas and WebGL. So what they do here is they try and draw an image. And this

image because of the way it's drawn is very slightly different between browser to browser and it can be done to create a near unique identifier for how your browser processes that data. We can do something very similar with the audio processing as well. So behind the scenes it will sort of draw a sine wave and then it will put it through processes and manipulate it and turn it back to a string and then turn it into a hash. And again we've got a pretty near unique identifier.

And then Salesforce came along as well and they had a problem with malware and they wanted to try and know when sort of known pieces of malware were accessing their services. So they came up with something called JA3 and JA4 IDs. And this is used to just fingerprint the TLS full stop. So you don't even need to run JavaScript on them to have an idea of sort of a fingerprint for them. And this just creates a fingerprint based on the algorithms and encryption methods that they support. So when we're looking at canvas fingerprinting in particular, this is sort of the examples of the stuff they'll try and draw. I've got a credit there in the bottom left because this is

just something I found on there. But you can see we've got PayPal there. This is another CDN and there are sort of different ways that they're trying to find this data. There are a few sort of unique things to keep an eye out for. So in the bottom left we've got kum fuel bank glyphs vex quiz and then on three of these as well we've got the orange square over the text. So these are some quite unique identifiers that we're going to see across fingerprinting scripts. But this is all very good, but I wanted to try and go out there and find some sort of more unique information. So I use a tool called OpenWP, which is what

the 2020 study also used. And it's basically just a black box for your browser. So as long as soon as you hit website, it's going to sit there for 10 seconds and just record everything the website does. And it turns it into a database. and it makes it really useful for me to just go along and find out what it's doing. Um, yeah, just to find out what it's doing. So, we scan the top 5,000 websites and I scored them based on the JavaScript keywords, those flags properties I mentioned, because a lot of these websites um, a lot of fingerprinting scripts are a lot more likely to use some of these words than others. Um, yeah, so I did I did do a fair bit

of voding for this as well. It's definitely not perfect, but It's It's pretty cool and I hope you guys will have something to take away from it still. And what I also did was I tried to harden the browser as well because by default the browser just says, "Whoa, I'm a robot. Take take that how you will." And I didn't want that to mess with the results as much. So we sort of shut that down a little bit just to try and appear more like a human browsing the internet. So we scanned 6,000 websites. 5,000 came came back online and I got a 17 gigabyte or near 17 gigabyte SQI database at the end. If you

want to try and scan that at some point, it'll be on the next few slides and we've got a bit of a live demo going on as well. Um there is something to printing but that's my own website. So yeah, that's do do with that what you will but please visit. So as a general picture I try to rank this based on risk. So low risk is they're probably not fingerprinting. Most of it's pretty fine. And then we've got medium, high, and critical. And this is where we could find some forms of fingerprinting going on. So this isn't just through sort of like the flagged keywords, but also if they're trying to mess around with the

canvas or do stuff with audio and things like that. And then we've got the bunch of domains. We can transport them up by category. So now we can try and identify which which websites which categories are doing the most fingerprinting. So I was really shocked to see travel way up there as well at 93%. But it makes sense from the perspective of if you're trying to book a flight or trying to book a holiday and things like that. They do want to conduct some sort of fraud prevention and they're especially incentivized to sort of try and identify how a user track like how a user shops and what they do with their money. Um, interestingly as well, we've got

e-commerce. So, that is is high, but it doesn't particularly stand out. But what we're not seeing there is the rate of criticals within that. So, e-commerce had the highest number of really intensive critical fingerprintters at 40%. And the average for the rest of the the rest of the sample was only 10. And then as down here is at 55%. I was quite surprised to see that. I was expecting a lot more fingerprinting going on there. Um but no it's pretty pretty standard as far as things are concerned. This is rate of fingerprinting as we go down the list of sort of how how popular websites are. Again I was anticipating the higher ranked a website is the more

fingerprinting they want to be conducting so they get better understanding of how you browse but the top across the top 5,000 or so that I checked it was pretty standard. And then we've got some of the most aggressive fingerprints in the data set. So we can see Tim Teimu there and then a bunch of other websites. Teu was a particularly interesting one because alongside trying to fingerprint, it also tried to see if you were behind a VPN and try to find out what your true IP address is because there's a tool called WebRTC. This is a peer-to-peer system for sort of like web chat, video calls and stuff like that. And what team were actually trying to do was start a

peer-to-peer connection to try and get around the VPN and see who I am and where I'm coming from. What I wanted to touch on next was just sort of how are they doing it? What techniques are generally commonly being employed? And we can see that a lot of the criticals are just sat on three techniques. So this is like sort of generally navigator, canvas and audio. But then we do have some like delving more and more into even more intrusive stuff going on. So because we have this data, we can try and attribute certain fingerprintters to certain people and we found that Cloudflare was the biggest. So this is generally sort of like business analytics and insights and stuff. It's

not massively intrusive. And then we've got fingerprint js which we'll be touching on a bit later as well. So fingerprint js is a open source generally tracking library that can be used to for sort of advertisers and stuff and because it's open source and everyone can access it everyone you can you can visit on multiple websites and everyone have the same fingerprint and then after that we've got a which is just bot and fraud prevention and then some other ones going on. Perimeter X is quite interestingly quite interesting. You probably would have heard it in the news recently if you came across the LinkedIn one because uh LinkedIn was using the I believe using the Perimeter X extensions

and that's where the browser extension fingerprinting was coming from. So when we're looking at sort of canvas fingerprinting there was there was one big player and that was fingerprint js. So, this is the sort of thing it's Oh, go on. Let's use this. So, that was the sort of thing it's normally meant to be doing. And this is very slightly different, but I couldn't tell you why, but it came back different, and that was going to give us a different fingerprint. And then what we've got here is a Russian website, which is quite clearly taken the open source library, manipulated it, and just tried to sort of um make it more unique. to see if they could get some unique

identifiers because you can see they've got some flags there as well and emojis and then they just do the alphabet. So one of the first cases of actually canvas fingerprinting uh was announced around 2013 and one of the best examples of this was from browser leaks.com and a lot of websites clearly saw this and just tried to follow suit but instead of browser.com they just added their own website in which we can see from all of these and they've even kept the iconic orange square as well which is as we saw earlier on quite a few printers and And these are the most most commonly used and most commonly repeated fingerprints. So because of this, every website we

visited, we recreated the fingerprint generators and we had fingerprint.js which was just yeah above and above and beyond the most. And then Akami was quite interesting because it it's spot prevention but you can actually see faintly on in faintly in the background as well. It says soft ruddy footoothold too and that was unique to that script. Then we've got some canvas fingerprint and it looks a lot like Alibaba clouds was just trying to use the same thing as fingerprint js but increase the length of the sentence to make it a little bit different. And the important thing to keep an eye on here is that sentence that it types is using every letter of the alphabet only once.

So sorry I just double checking it. So it's quite a good way of trying to get an idea of how these behave. And then we have AWS W as well. So these aren't optin, these aren't sort of me clicking about and trying to visit them. This is I'm sat on a website and within the first 10 seconds, this is what it tries to do without any permission, without any sort of idea of who I am and how I'm handling it. So because we've got some fingerprinting vendors, we can try and find out how intrusive their scores are compared to each other. So fingerprinting, fingerprint jets above and beyond was just like the biggest vendor for this and it makes

sense because they're trying to be used for like tracking advertising is quite open source and there's a lot of people trying to see how many different ways they can try and get a hold of trying to get a hold of a unique thing fingerprint for the device and if you look through the GitHub rep there's loads of ways they try they even check they even check what version of Firefox you're running as well or Safari because some of these don't play very well with canvas fingerprints. And if you're running a new version, they'll just get canvas fingerprinting and use some other methodologies instead. And I mean, I don't think anyone's going to be surprised to hear that they're not

just doing fingerprinting. So this this is it's not massively uncommon, is it? We've got Google Tag Manager. We got some cookie consents. And we've got a lot of social medias in there as well. And this is just their way of tracking and keeping an eye on stuff and maybe like a share button or something. But one thing I haven't touched on yet is what they doing with cookies as well because um you know they're not just sort of calling it a thing printing a set pretty. So we've measured I've measured it by cookie events. So every time they try and read a cookie, every time they try and save one to the browser, they're going to have an

event. And quite nicely, quite satisfyingly, there's a very nice increase as you go on more and more fingerprinting you're doing, the more and more you're trying to mess with cookies, trying to save stuff and do things like that. >> Cool. So we've we've seen how it is from a user accessing the internet and just browsing. What I want to touch on now is just how how does this look from a website's perspective, why we want to do it and things like that. So this is the link that you've been directed to ascree.dev/fingerprinting dev/fingerprinting and what we've got in there is the fingerprint js library and this is actually the tool itself and back in the UK I accessed it accessed it

twice from my own IP address and then I was lucky enough for them so my company started to send me to Australia so I accessed it from there as well from the same device and without storing anything on my browser or having the same IP address it read the unique fing of my browser and said, "Oh, yeah, that's the same person." So, I traveled halfway across the Wales and I still still got a pretty good idea of who I am. And this could be used for things like advertising sort of guides or cash exchange and things like that. Now, this one's really cool. So, there's a browser called the mobile browser, and it's very similar to tour.

It doesn't do any of the onion routing or anything like that, but has got very similar methodology in terms of keeping the browser shut down and trying to make sure that no one really stands out. Oh no, spoilers. Um, so what we've done here is I've hit it from Sydney on a Linux machine running mobile browser and that was at 3:20 in the morning UK time. And then I installed it on a Linux machine at home as well and hit the same website six minutes later and we've got exactly the same fingerprint because this is attributing it to the same user. I didn't travel that way in six minutes. Cool. So I just want to give a bit of

demo of how how these websites are being used. So because you've hopefully some of you have hit the website

suspense. >> Wait. Okay. Mega zoomed in. You know what? Keep it. Cool. So, this is the fingerprint js library. So, in true blue fashion, this is one I made earlier. And we've got me hitting the fingerprinting uh from two different IP addresses. It still identifies you. And then as we go on, we can see that I just hit the homepage. I go to the blog for browser fingerprinting. Go back to the blog page and check out my writer on hack the box blue and we can see how I'm browsing it even though it doesn't store anything on my browser. And this is the fun bit where I get to see if anyone's going to stay.

Hey, go on. Thank you. So, let's check out this one. And this is the sort of stuff we can see. So, we know that someone's on iOS 18.7. They're running the latest version, I hope, on Safari and where they're coming from. And then we've got some ideas of are they a boss or not? as it's coming through tour and some other things like that. And then this can even check if people are running in in incognito mode as well. And it can even flag you for that. If you log in and out of incognito mode, it can still pin you down, which just blows my mind. But oh, that's 42 events today. Thank you. No, we've got a pretty good range of

people on this. Every single log is recauses of what people have been doing. So, oh, that one should be interesting. We got a JTLW5. So, that's a user identifier, I believe. Yeah, let's go on. Yeah. So, we can see that this one person's been on the fingerprinting, has a poke around, gone to the browser fingerprinting blog post, and then gone back to the original fingerprinting page.

back where we are. Okay, cool. So, there's quite a lot of information that we can sort of see and try and understand about how they're browsing. And from this I just wanted to understand how each different browser sort of shares information and stuff. So there's a tool by the electronic frontier foundation called cover your tracks. Hope some of you have heard of it. And it can give you an idea of how much information you're sharing through different properties. So this is just on canvas, webglio and font fingerprinting. And we can see that the big four browsers, I'm sorry, I'm including Opera in there just because they're pretty bad as well. Um, so Opera, Firefox, Edge,

and Chrome by default out of the box is is pretty poor. There's a lot of information there. So if two billion people visit your website, you could still stand out as that one person who's visited it just from these three different fingerprinting measures. And then we move down to the mobile browser which is a little bit better but it's a bit different because we might get share more information. However, if we're trying to sort of collectively stand up and sort of have the same fingerprint as other people, it's quite useful for that. And then imposium positions, we've got Safari, iOS, uh Brave, and Hardened Firefox. So these three were doing pretty good and they all have one thing

in common. instead of just sort of writing uh canvas scripts or sharing audio of sort of how it does, they randomized it a little bit every single time. And it was this randomization that stopped it from giving too much identifying information. So we've got some sort of ideas of ways we could try and avoid it now. So we can either try and blend in using things like mobile or the tour browser. Um, we just try and look identical to everyone else visiting it through the mobile version of the tour browser. And this is great when there's a bunch of people accessing a website. It's a big website. They are going to have at least hopefully a couple of people with a foil

hats on trying to access it through the mobile browser. However, if it's just you, you're going to stand up like a sore thumb. It's just happening. And then you can try and sit with randomizing everything, which is you can try and do that, but it's there's a lot of stuff to try and randomize. And you're it's not foolproof. So, we can try and put noise into things and yeah, there are always gaps. And again, if you're that one person who appears with a different fingerprint every time, it's not going to be a massive surprise when you're being tracked. So, we've got a few things we try and do. We try and harden Firefox, which um is a really good option. We try

and disable JavaScript, which is great if you want 90% of the web to break. And then we've got the mobile browser, which is quite effective. However, again, you've got no history, you've got no cookies, and it shuts everything down. So, there are definitely some trade-offs. And then you've got something like a virtual browser. This is sort of where you've got like a server farm off somewhere and they loan out their devices as just something you can access a browser remotely on and you can navigate it through there. And that's good for just making sure you've got the same fingerprint every time. is not just you accessing it from there and just creating a more uniform fingerprint

without taking necessarily all of the sacrifices of the mobile into browsers. So in terms of what's realistic and where I'm personally sed, I'm in the Firefox and privacy resist fingerprinting camp because um you know I do I do want to try and reclaim some privacy. However, I'm not there are tradeoffs and sometimes they aren't always worth it because I think one of the biggest things in security for me is the trade-off between convenience and results. And you're losing a lot of convenience when you move further down to the mobile app browser and just disable in JavaScript. So, we've got the Brave browser, which does some very similar stuff as well. And then we're looking at the mobile app

browser, which yeah, it's good if you want to try and have the same fingerprint as other people, but you're losing you're losing a lot of the sort of home comfort that normal browsing does give you. And yeah, like I said, if you want just everything to break, you can disable JavaScript, but at least you're not being fingerprinted as much because TLS still works. So why is it happening? From sort of like a website's perspective, they don't want you hitting them and scraping them on repeat if you're just a bot and you're trying to crawl it for your AI agent or whatever you're doing. So there are there are legitimate use cases to understanding who's accessing

your website and why. However, it also is being used for fingerprinting and we've seen like some of them are sort of getting more and more intensive when I don't think there's a reasonable sort of use case for it. We can try and sort of block a lot of these things out but we do end up breaking things on the internet as well.

Um, so yeah, I think I just want you to take away from this that even if you do hit the reject all button on the cookies banner, that's only half a thing and you can still be pinned down the tracks and all that stuff. But yeah, thank you very much.

>> Got lots of time for questions if anyone has any. Do you do you see in in looking at fingerprinting tools anybody using what are objectively bugs in browser behavior I mean things like weaknesses in cross- site behavior in browsers that >> not that I pick up on no because there's so many um sources for it already like some of them would try and check what like Bluetooth devices you support there's a whole slew of information that they could do um I'm not sure if they tried to do any bugs I Because from the perspective of the browser, most of those versions can have the same bug. So it can't always produce a super unique

fingerprint of that. >> Yeah. I meant more in a sort of cookie style. >> Oh, sorry. >> If you're restricting third party access, then there are >> ways to get around with it. Yeah. Um, I've not seen any, but it's not it's not something I was massively looking for. >> The randomized results returned from Safari on iOS. Is that a WebKit thing or specifically a Safari thing? >> It's a WebKit thing. So, I did this on Chrome browsers on iOS. >> Yeah. Yeah. Yeah. So, I did I did this on Chrome and iOS as well. And it gives it gives basically the same results because like you say, it's just WebKit under the hood because Chrome is still

just resin Safari and iOS. Um, so I'm old enough to remember to be something that a lot of bookies used on their website. Basically, if people were winning too often, it would track people by their browser basal

under EU cookie tracking and stuff like that in California. So because of because of crime going back on this in early 2025, um the information commission's office responsible for this sort of stuff in the UK did have something to say on this and it was basically along the lines of Chrome understands this is bad. They shouldn't be doing this. Users don't get a choice and they're storing and um identifying and tracking information that users have no control over. Because when we saw all these campuses and these websites, I didn't click yes to anything. I didn't browse into any further. I sat on a website for 10 seconds and it it just finds out everything it can.

>> That's pretty shocking. >> Yeah, it's not it's not good, but it's just it's just what's happening. And then there's the um sort of big thing in the news where everyone's kicking off about um LinkedIn taking browser extensions and checking for those. And it's not super uncommon to be checking for that. And there's a bunch of other stuff as well that makes you uniquely you on the internet. And those are still those are still about

>> I have many questions. The like most like important one really is like I've run JavaScript disabled by years now. It does tend to >> break, >> but like the TLS fingerprinting, >> how like is there any kind of counter measure to that? >> I don't know. I haven't looked at that to be perfectly honest. Um, no, it's it's one I dipped into briefly just to see that it was a thing. That terrified me and then I was checking out some other methods and focused on those. like is it possible to like detect if the request is legitimate or >> well for the from the sort of server? >> Yeah, >> I I couldn't say because you're you're

sending out a TLS hello request when you're just saying give me these encryption methods that I support. >> Um so I I I couldn't say past that, but it's it's I'm not sure how you can solve that one. >> Awesome. Well, thank you. Thank you very much.