Canvas Fingerprinting

Canvas is an HTML5 API which is used to draw graphics and animations on a web page via scripting in JavaScript.

But apart from this, canvas can be used as additional entropy in web-browser's fingerprinting and used for online tracking purposes.

The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers uses different image processing engines, image export options, compression level, the final images may got different checksum even if they are pixel-identical. At the system level – operating systems have different fonts, they use different algorithms and settings for anti-aliasing and sub-pixel rendering.

This is the first in the wild PoC of the Canvas Fingerprinting. Below you can see if the Canvas is supported in your web browser and check whether this technique can keep track of you. In addition a little continuing research will show how realy unique and persistent Canvas Fingerprint in real life, and whether your signature in BrowserLeaks database (nothing is collected right here!).

JavaScript Disabled

Canvas Support in Your Browser
Canvas (basic support)	?
Text API for Canvas	?
Canvas toDataURL	?
Database Summary
Unique User-Agents	170542
Unique Fingerprints	6089
Your Fingerprint
Signature	n/a
Found in DB	n/a
Image File Details
File Size
Number of Colors
PNG Hash
PNG Headers	Chunk	Length	CRC	Content

Browser Detection
✔ It is very likely that your web-browser is Web Browser and your operating system is Operating System. ? Your Canvas Fingerprint appears to be unique for our database. ? Canvas Protection was detected, it seems that Tor Browser is here!

Browser Detection via Canvas is very rude and nominal, based just on parsing User-Agents. Don't be surprised if your signature refers to Windows as well as Android (for example). It does not happen. Just someone used UA-spoofing or device emulation on a websites, which is collecting the database. We could use more accurate sources of data (TCP/Flash/etc) to compile more reliable correlation between Canvas Fingerprint and Browser/OS, just it was not a main goal, also it would require further action from webmasters who agreed to put our code to collect data on their websites.

How Does It Work

Unlike the other «browser detection» tricks, this deals with many OS features related on graphics environment. Potentially it can be used to identify the video adapter, especially if you will use WebGL profiling, not just Canvas 2D Context. By the way different graphics card drivers can also sometimes affect to regular fonts rendering.

This tiny animated GIF shows how canvas image can be variable from 35 different users. The code is not changed, but each frame is different:

As you can see from our Database Summary, the number of unique images that we have been able to collect is a few thousand for now.

Here is the JavaScript code that produce the pixels:

// Text with lowercase/uppercase/punctuation symbols
var txt = "BrowserLeaks,com <canvas> 1.0";
ctx.textBaseline = "top";
// The most common type
ctx.font = "14px 'Arial'";
ctx.textBaseline = "alphabetic";
ctx.fillStyle = "#f60";
ctx.fillRect(125,1,62,20);
// Some tricks for color mixing to increase the difference in rendering
ctx.fillStyle = "#069";
ctx.fillText(txt, 2, 15);
ctx.fillStyle = "rgba(102, 204, 0, 0.7)";
ctx.fillText(txt, 4, 17);

To create a signature from the canvas, we must export the pixels from the application's memory using the toDataURL() function, which will return the base64-encoded string of the binary image file. Then we can just create MD5 hash of this string, or even extract CRC checksum from IDAT chunk which is placed from 16 to 12 byte from the end of every PNG file, and this will be our Canvas Fingerprint.

Canvas Fingerprinting

Canvas Support in Your Browser

Database Summary

Your Fingerprint

Image File Details

Chunk

Length

CRC

Content

Browser Detection

How Does It Work

Further Reading

Leave a Comment