Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: What every browser knows about you (robinlinus.com)
553 points by Capira on April 1, 2016 | hide | past | favorite | 206 comments

Not sure why battery is exposed; I guess that's the result of making browsers more like OSes.

The only really annoying thing is the idiotic WebRTC settings. Their love for "data channels" with zero prompts, despite having no legitimate uses[1], ignores your proxy settings. This should be fixed.

1: I asked someone involved with WebRTC. They suggested "maybe a page wants to communicate with your fridge directly" as a serious use of WebRTC data channels.

There are some really cool uses of webrtc data channels. e.g. https://webtorrent.io/

Yeah, and that's also a great example of what should NOT be allowed without the user's EXPLICIT permission - simply visiting a link should not result in a torrent download!

Simply visiting a link downloads dozens, sometimes hundreds of files without your explicit permissions. It simply uses a different protocol.

No, it doesn't just use a different protocol. It ignores your network settings (proxy) and exposes your local network information.

I can understand not wanting to scare people with "Allow P2P Data Channel", but ignoring proxy settings and revealing all IPs is unacceptable. WebRTC folks toss off these concerns with "there's no way to prevent tracking so heh".

It's bad that it ignores network settings.

But that's orthogonal to whether it's torrenting. You can torrent while respecting network settings, and without exposing local IPs.

Visiting a link exposes also a lot on default. Browser, OS, Resolution. The major browsers are not build for this needs. Best experience first. BTW: There are extensions to block webrtc ip leak.

> Visiting a link exposes also a lot on default.

We should be reducing the amount of data exposed and fixing the mistakes of the past that allowed so much data to be easily exfiltrated.

> Best experience first.

"Best" is not a defined term. What software developers should (always) be providing is the safest method first. Fancy UI tricks are a far lower priority than safety. If there is any doubt, fail safely.

Anybody that isn't putting safety first is being incredibly irresponsible. Stop leaking data and design for safety and security first. Yes, this it will be harder to make a nice user experience. In time, this will improve, but in the meantime safety is not something that can simply be ignored.

> extensions

Safety is not an optional feature that only some people should have.

Simply visiting a YouTube link should result in the video to start streaming right away though?

How will you know that a download is desired or not?

<video> tags are a more standardized part of the web. Although I should be able to disable auto-buffering as well as auto-play.

Ideally the user can control whether all types of content get loaded—images, CSS, JavaScript, web fonts—or even allow/deny individual domains or files, but so far browsers require an extension like uMatrix for that.

The fact that some browsers do allow you to control these things, even if you have to use an extension because they don't support it themselves, is crucially important and totally acceptable. AFAIK there is nothing equivalent to NoScript for IE, however, so that's just one of many reasons I don't use it.

I don't really mind the trend in browsers over the last several years to give explicit access to more OS resources, it frees us from both Flash and Java Applets, Adobe's PDF reader, and other crap. But I'm not sure the browser replacements, at least in the short term, will actually get the security models any better. Is there any reason to prefer all these new JS APIs over allowing a Java Applet, besides "Java Applets are insecure"? It's certainly not performance -- I know many people chuckle when someone demos the latest X in JS (with or without WebGL) where X was done better with less hardware years ago via an applet. Secure or not, it's incredibly difficult to actually run an applet these days, and it's a strange disconnect with how the browser is fine doing so much else without warning. Will we see a similar increase in difficulty for running JS that can be just as insecure?

I've been a NoScript and adblock advocate for many years, but the first is often met with alien stares and the second is only successful when I install it on their browser myself or when I'm recommending adblocking to either other technical people or people who really hate ads even on TV. There's a weird resistance some people have that can get brought up in both cases, though, and it's probably going to take more than a few big public fails due to malicious websites before people will stop bringing it up. The argument adblocking users have been making for ages: this is my computer, my browser, and neither is under any obligation to act in a particular way based on the contents of what your server sends me. I don't like your ads? I can choose not to see them. I don't trust your JS? I can choose not to execute it. I don't like your theme? I can load my own. It's very weird to me that people oppose this view.

Do you use NoScript in everyday? I think while it would make those annoying APIs go away, the web site experience would became a bit poor and even not work properly.

> Simply visiting a YouTube link should result in the video to start streaming right away though?

I hate that. Is there a reliable way to turn that behavior off?

If you're Firefox user go to 'about:config' and set 'media.autoplay.enabled' to false

To know that arbitrary netcode can run silently on the background of my browser is really surprising. And not in a good way.

https://snapdrop.net is also a cool use of webrtc ;)

Is the wink because of the 502?

No, it's an app of mine and up again. Thanks a lot for telling me it was down!

Multiplayer gaming is a legitimate use of data channels, but I don't see why it couldn't prompt for permission.

WebRTC folks insist prompts will confuse people and be bad. But ignoring explicit networking settings is good, somehow.

Acceptable default but one should be able to enable prompts as a less-confused user.

I'ts funny with WebRTC, because I rememeber when the same could be accomplish with Java applets (Java ignored any proxy settings, which allowed to deanonynimize people on the internet, e.g. it no longer mattered if you were behind TOR if you had Java enabled). I think it was considered security bug and was patched later. Seems that WebRTC people are not so security-wise I suppose...

I am not sure if this battery is not just FUD and some other sections as well. Because I currently have no battery in my laptop (no battery detected) and site is saying "Charging: charging", "Battery level: 100%", "Charging time: 0h"

It was spot on for my phone at 85% and charging

My desktop system is saying the exact same thing.

The page also thinks my system is flat on a table. Close; the screens are, while the tower's on the floor :P

Works quite well on my phone.

Oh so it works on mobile phones then, not laptops.

It made a correct reading for my laptop (Macbook).

More likely, battery detection is just a little broken, like most of the supercharged, application delivery platform, content-powered Web 2.0.

Just like with mobile apps, battery info can help websites decide whether they should run a complex operation now. It also helps detect regressions if a commit happens to suck power faster. Unfortunately, it's more bits available to deanonymize users across websites.

Data channels are useful for synchronizing your phone and your laptop. All native platforms support this. Most websites do it with a roundtrip to the server. So it would be mysterious to the user why a permission is prompted for something that should just work. Obviously it's bad for privacy though.

So painting it as having no legitimate uses is a bit one-sided. There is no easy fix.

What websites do CPU-intensive work that can be delayed for hours?

In general I want a website to suck as much power as possible so it can be done sucking power as soon as possible, whether I'm on battery or not. If you want to find waste, track execution time and bandwidth use.

I'm not sure I understand your point. Many apps (would) benefit from delaying some tasks and waiting to be on charge and a wifi connection. Typically, synchronization for example requires the device to be awake for a long period because of network roundtrips, transfers, disk seeks and CPU work. Software updates are similarly impactful on the battery.

At least, it makes sense to measure battery usage to optimize your code. And in my opinion, it's also beneficial to react to battery events (delay when on low battery, process when on a wall socket) and network events (bad coverage vs. strong wifi).

Battery levels are exposed in the Battery Status API [1] which is currently implemented on Firefox and Chrome, both desktop and Android editions [2] but not on iOS.

1. https://developer.mozilla.org/en/docs/Web/API/Battery_Status...

2. http://caniuse.com/#search=battery

So, literally all this said was:

- "MacIntel"

- some stuff from my User Agent string (changing it to IE11 made it think I'm on Windows 8)

- my public IP, network provider and approx. downstream speed.

I don't use Facebook or Google so I don't know if those things would have worked.

None of the network scanning worked, it didn't use the geolocation stuff, etc.

If Chrome/Firefox/IE do allow access to all/some of those things without prompting, jesus titty fucking christ.

All of you claiming "Safari is the new IE6" need to perhaps pay attention.

Google has a vested interest in pushing browser technologies regardless the cost to privacy or user security - their ChromeOS devices depend on a world where web apps can do everything.

Same here, it didn't detect some of the things it should have (theoretically?), e.g. AdBlock plug-in, Twitter & Co., and the EXIF data wasn't fully exposed. The geo location was wrong by some 70 miles, but that's a question of a proper geoip database I suppose.

All in all, not very spooky with Safari at least.

I think it's specifically not GeoIP location - that doesn't require a browser to leak anything as its using your public IP address.

I assume (because mine didn't show anything) that it's relying on the browser leaking it's device-detected location without prompting?

Right it does not use the HTML5 Geolocation GPS. It uses Google's Geolocation API to locate the user without asking for permission.

I don't think it's possible without user's permission, so no it's likely one of those public GeoIP databases which are usually a bit behind, inaccurate and incomplete.

Hmm yes, quite odd. The first time I loaded the site, nothing appeared in the location area, leading me to suspect that it was abusing a prompt-less device location API.

After your comment I loaded the page again, and sure enough it shows a very specific, but quite wrong location. Wrong province wrong.

I actually got better GeoIP results than that (down to the local city) on my old broadband connection. I just tried it now (we moved 2KM and changed ISP, from DOCSIS to ADSL) and all I get is the country now - possibly because its dynamic whereas our DOCSIS IP never seemed to change.

So it's kind of creepy on Google's part that they even offer this service, but the data seems to be so woefully useless that I can't believe anyone would actually use it.

http://webkay.robinlinus.com/scripts/social-media.js that's a cool trick, thanks for this!

What is this useful for?

It helps you figure if a user is signed into a social network. One might think this is not possible because cross-origin restrictions but this trick shows you how to bypass it.

Could you explain how this works? Er, I mean why only the re-direct to the favicon works?

The login page will redirect to the favicon if the user is already logged in, or it will serve a regular HTML page if the user is not.

So, the script creates an (invisible) <img> element for every website which points to the login page (which might redirect to the favicon). If it receives an image, the user is already logged in and the onLoad() callback will fire. Otherwise, it will get an HTML page, so the onError() callback will fire.

It could work with any image on the website, not just the favicon.

Though the redirect works only with images hosted on the same domain. The favicon was the only image I could find on twitter.com or facebook.com.

I reported this bug to every company listed there, but all of them said it is not relevant to their users' privacy.

Yeah, that's a very critical information. Thanks, guys!

This is showing that I'm logged in to Facebook but I don't have an account there anymore.

This is a perfect example of what an attacker could do with your browser. If you can get a user's browser to run code, as this site demonstrates there is a lot of information you can find. And coupled with a Cross-Site Request Forgery, you could get access to a bunch of things. If your home router has a vulnerability that bypasses authentication and allows you to execute commands on the router or similar (which is not uncommon, home router security is awful), you could get a foothold into the network just by sending someone a email with links that they are likely to click on.

Note to the author: I am not entirely sure how the WebRTC connection gets you a local IP, it seems to be connecting to stun:stun.services.mozilla.com. Anyway,that grabs the wrong local address for me, and gets the IP of my docker0 interface, perhaps it could grab more IPs, or is it just displaying the first one it finds?

Edit: Oh, the getIP function just calls the callback on the first candidate it finds.

The speedtest http://webkay.robinlinus.com/scripts/speedtest.js downloads a 5mb file from http://www.kenrockwell.com/contax/images/g2/examples/3112003....

You might want to change that to something on a big company CDN to avoid killing kenrockwell.com's server.

Thanks a lot for the feedback! I changed it to https://upload.wikimedia.org/wikipedia/commons/2/2d/Snake_Ri... for now. Can you suggest a better image?

I suppose something that's unlikely to ever 404, and on a CDN that's "fast" for folks everywhere in the world would be best, so upload.wikimedia.org is a good choice.

Scanning the visitor's /24 without notice, warning, or opportunity to opt out is a dick move. Our IDS probably just lit up like a Christmas tree.

Yup. I have a honeypot on my home network that hits Twilio when it gets poked at. So the author at least got my phone to light up.

At least you know it's working!

But yeah, I echo the other commenter wanting to know more about how you set that up.

That sounds awesome, care to share a few more details?

I actually locked myself out except for console access, so some of this is from memory/Googling:

1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)

2. Change iptables default policy to DROP

3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio

4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)

5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)

6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'

7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host

Very smart!

Just my 2 cents, but I feel like there might be some commercial demand for something like this if you'd ever consider packaging it.

>I actually locked myself out

Hate it when that happens to me...every week.

Sorry! Didn't think about that. It is fixed.

You should leave it in, if the whole point is to demonstrate the capabilities.

It's incredible that a webpage can do that.

I think a button would be more appropriate. Not everyone reads HN on a network they control and port scanning one's neighbors can lead to some unpleasant conversations.

Maybe it's good that more conversations around this are started so that eventually this critique is upstreamed loud enough to the browser vendors.

> It's incredible that a webpage can do that.

How so? Any site you navigate to knows your IP, and can take action based on that.

This isn't based on external IP. This is using JavaScript to make requests inside your LAN.

Yeah I feel like samy.pl demonstrated this years ago, freaked me out and I have been running noscript ever since :D

Weirdly it's wrong for me, there's LAN IPs on the list that don't exist, and it's missing ones that do. Firefox on Ubuntu, with uBlock Origin, over WiFi.

Agreed - good on OP to raise awareness.

You should also fix the copy. You have "To prevent your browser from accessing your Device Orientation use NoScript." appear twice, the second time under "Network Scan".

Congrats on the page!

Thanks for the bug report! It is fixed ;)

Someone should make a smartphone app version of this to demonstrate what is accessible via the app permissions that most people just blindly accept at install time.

"Here are all the nudie pics on your phone as identified by our nudity detection algorithm. Here is a list of your probable work and family contacts. Here is the MMS that you really don't want this app to send on your behalf!"

I'm guessing you're talking about android?

Apps on iOS don't prompt for permissions at install they prompt when they try to access something, eg photos, contacts, etc

They do that on Android too now.

Only for the very latest versions of Android OS that most people don't have and probably won't for several years due to Android's software distribution model.

Outside our tech filter bubble where we upgrade to a new flagship phone every year, millions of people use low-cost, prepaid, or hand-me-down phones that have long been on the market, and stopped receiving software updates years ago through the broken supply chain of AOSP -> device mfr -> carrier.

Uselessly so; many apps just crash if you deny them permissions. I'm looking at you, Hue.

I don't blame them. I'd crash if you denied me permission too. /s

That's probably against Apple's app guidelines.

I didn't realize that browser would spill my local IP address, or might be able to scan local devices in the same network. Shouldn't browsers have settings to enable/disable access to device sensors or data?

That's the power of WebRTC.

One might view HTML5 as an exploit package ;)

While it hardly surprises any of HN audience, it's a GREAT showcase for a less technical audience.

I see that you removed automatic network scanning due to a comment here; but since it's an educational project, I think it would be valuable to add a comment that explains that a malicious website could get that info without consent.


I see NoScript being recommended but if you're not using Firefox this isn't an option. Lukily both uBlock[1] and uMatrix[2] are cross platform and will work on most (any?) Chromium based browsers as well as Firefox. All instances of uBlock in this post are referring to uBlock Origin[1].

In addition to NoScript both uBlock[1] and uMatrix[2] can be configured to block javascript (you can block both 3rd and 1st party javascript with either). In fact even on Firefox I would recommend trying uMatrix instead of NoScript because of the interface but my opinion is probably biased since I've been using it for some time now. You can keep NoScript enabled in this situation just make sure to whitelist TLD's and allow scripts globally (also remove the built in whitelist while you're at it).

If you want a simpler solution which offers the best bang for your buck then using uBlock in medium mode[3] is what I would recommend. This will block 3rd-party scripts and iframes (globally). Any page breakage that occurs as a result can be very easily handled by setting a noop for scripts and/or iframes for that pages scope. You can also block 1st party scripts if you really want to but it will likely cause a lot more stuff to break. uBlock can also enable browser settings that will prevent WebRTC leakage under certain circumstances.

On a side note if you're using even just uBlock then that will likely remove the need for running additional privacy extensions (save ones that deal with cookies) like Disconnect which also block network requests (you can use the Disconnect lists from within uBlock). uMatrix does give you the control over cookies.

[1] https://github.com/gorhill/uBlock

[2] https://github.com/gorhill/uMatrix

[3] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium...

I switched from easy to medium mode after reading following your advice. How would you suggest dealing with for instance youtube.com now that no videos will load?

Btw only hard mode stops any browser details leaking on the test site: http://webkay.robinlinus.com/ which is awesome, but I wonder how much time you have to spend fixing all the sites that you visit that will be broken in this mode.

Anyone using "hard mode"?

The easiest way is to enable 3rd party scripts on youtube. While at youtube open the uBlock Origin menu and set 3rd party scripts locally to no-op. After you enable advanced mode the two columns the now appear are for blocking stuff globally (left side) and locally (right side). Globally blocked stuff (like when you set up medium mode to block 3rd party scripts and iframes) automatically gets applied to the smaller scope (local to the site currently open).

To unblock scripts just turn the 3rd party scripts block to gray which equals a noop for that. Green is explicitly allow which is what we DON'T want since we still want filtering from the filter lists to apply. Basically to unbreak sites you start with setting 3rd party scripts to noop then iframes if that doesn't fully fix a site. This setup is rather course grained but is the easiest way to increase security and privacy with the least amount of user interaction (the most bang for your buck basically).

As you browse with this "medium mode" you'll probably interact less and less as your dynamic filtering list gets built up. I wouldn't recommend using the "hard mode" since there's not a lot to gain from it and it will cause a lot more breakage.

Edit: Also I just noticed this but font blocking is also enabled in the medium mode screenshots. This isn't part of the described medium mode and the author of the screenshots likely forgot to turn it off before taking them. However you're free to try it out if you want but keep in mind it can break the look and feel of sites. Also it may not actually block the downloading of the font if you're using Chrome or a Chromium based browser so there's less of a reason to use it on Chrome.

Subjectively, uBlock doesn't seem to be catching everything recently - has something been changed?

If you're only relying on the filter lists then you're at their mercy.

Without using NoScript, what else should I be doing?

Learn to use "Dynamic filtering" or check about the "Blocking Modes"for example, uBO's abilities far exceed those of your average adblocker that relies only on filterlists https://github.com/gorhill/uBlock/wiki

There's also Xombrero, a minimalist web browser on top of WebKit with whitelisting for JS, plugins and cookies. It's also keyboard oriented.

Thanks a lot for your detailed explanation! I added a link to your post on the page.

Not much of interest showed up for me. Monitor resolution, browser ID, geo location, OS and public IP.

My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in both IE11 and Edge (both of which I never use), and I got pretty much the same result. Firefox and Epiphany on Gentoo Linux also failed to startle me.

I'd like to see a screenshot of a "worst case scenario".

> Not much of interest showed up for me. Monitor resolution, browser ID, geo location, OS and public IP.

Are you saying it showed your geo location without having prompted for it, and that you're OK with that?

I meant whatever DB they use to get location from an IP address.

> I meant whatever DB they use to get location from an IP address.

They aren't using GeoIP lookups. Google runs a service that uses Javascript to try to provide a more accurate position than GeoIP can.

> Geo Coordinates: [lat,lng about 90 miles from the correct location]

I find that error hilarious, because I setup correct in-addr.arpa and ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name that has an accurate LOC record. My IP is two DNS queries away from my location (~10m precision), yet most of the time everyone uses these geoip databases instead of LOC.

Because you are literally the only one ever who has done this.

You are incorrect. ;)

Harsh. He was only off by one.

I found it shockingly accurate -- it gave the address of a house I can see out my window. I'm on an entirely wired connection, so I know it's not doing it via any sort of wi-fi location, but perhaps my ISP lays out IPs very predictably or something.

Mine is 30km off. The address is a farm 3km from the headquarters of my ISP.

Mines about 400 miles off - I'm in Scotland and it put me in london

OS X 10.11.4:

Safari 9.1 : Minimal HW/SW detection, No social media leak, No network scan (after click)

Safari 9.1.1 (Tech Preview) : Minimal HW/SW detection, No social media leak, No network scan (after click)

Chrome 49.0.2623.110 : Full HW/SW detection, Social media login detected, Network scanning (after click)

Firefox 45.0.1 : Full HW/SW detection, Social media login detected, Network scanning (after click)

Safari 9.1 and 9.1.1 leaked my social media logins. Also 9.1.1 said "MacIntel, 4 cores" while 9.1 left out the amount of cores.

Also, my machine only has two physical cores, so 9.1.1 leaked physical + virtual

Wow. Safari is so strict, but I wonder if that's because Safari is (my assumption) a less fat browser after all.

Or just the browser with the least amount of funding tied to advertising.

No network scan is because Safari does not support WebRTC

And that's why so many sites break with it.

When the parts that break are leaking user hardware and network information, I'll take the break thanks.

It isn't like there is no legitimate use case for these technologies. It's just that they are accessible without any supervision.

And I'd rather not have them than accept the glaring security and privacy issues of having them without user permission.

do you have adblocking or ghostery on one or more of your browsers?

no ghostery on any browser

On Safari 9.1.1 TP : no addons

On Safari 9.1 : AB (getadblock.com)

On Firefox : uBO / No "NoScript" (for testing)

On Chrome : uBO

This shows just how powerful JavaScript can be --- without it, the site shows nothing.

...which is not entirely correct, since your user agent, request headers, and IP are still visible. There's plenty of other sites which will show you those without requiring any client-side scripting. Here's one just from a quick Google search:


(Interestingly, you can see GoogleBot's IP and request headers if you view Google's cached version of the page.)

I found it interesting that it could read my battery level and discharging time. As for device orientation, I think I've seen that before but I had forgotten about it being possible.

This is a pretty cool browser game that uses device orientation and websockets: https://lightsaber.withgoogle.com

Why not asking for permission as is the case for location ?

Would be good for targeted ads for mobile charging stations. "Battery running low? Charge up opposite starbucks for $1. Look behind you!"

"What _every browser_ ..."

How about text-only browsers?

How about homemade "browsers" that are powered by netcat?

As one informal poll appeared to show, many users questioned on the streets of an American city did not even know what a "browser" was.

Most times I only want to retrieve files (download) via some daemon running on some remote computer and then view them on my computer. That includes text, hypertext, or binary. Pretty much the same as in 1993.

I rarely use a graphical browser to do this. It is not needed.

Instead, today, unlike 1993, I am using a graphical "browser" to _play video_ after I download it (no internet connection). But playing a video file is not "browsing". Something is not right.

Seems like the www took a wrong turn.

Surprised the website didn't list installed fonts anywhere. Fonts, alongside with other device details, can be a great way to fingerprint a browser/user.

Edit: Actually, I believe you need Flash or a Java applet to actually get a list of fonts installed. But you can do other, slow, iterative approaches via JS.

With panopticlick, I consider lots of things very able to fingerprint users. I like that this site says it knows things about you without a previous visit. A site doesn't need to have seen you before and track you all over the web. A site can infer things from what is sent the very first time.

Of course, this isn't the first site to remind of us of that, but the reminders are still good, and interesting to learn about!

The social media thing is cool, I didn't know that trick of using the favicon.ico img under the login of a site to see if the image will load or not. That's pretty nifty

Might still need some work though:

Chromium 49. The only place I am logged into is Reddit

> Twitter: logged in > Facebook: logged in > Google Plus: logged in > Reddit: logged in > Flickr: logged in

That's an old one. You can see browsing history, if persistent caching is enabled.

The clickjacking is the only one that surprised me. Very unnerving. Need to read more about it.

Me too, I don't understand what it is actually; this page doesn't really explain what it is.

For some reason, this worked really badly when I tried it. About the only things it figured out were that I run Linux on an x86_64 system and use Firefox. Well, it did get my ISP right, so that pretty much limits my location to a single country. Even my display resolution was not right. It did find quite a few devices on my network. All of them non-existent, though.

Your browser can not connect with the other devices, unless they run a webserver. This scanner can just detect if there are any devices.

If you try this with your iPhone it activates your gyroscope and says "Your Device is probably in your Hands."

It knows too much

It gets worse

Reading keystrokes from a nearby keyboard using the gyroscope http://www.cc.gatech.edu/fac/traynor/papers/traynor-ccs11.pd...

Speech Recognition using the gyroscope http://www.wired.co.uk/news/archive/2014-08/15/gyroscope-lis...

Not just a problem with webpages, apps that don't have access to your mic do have access to your gyroscope

One possible solution is to not allow gyroscope reading above say 20hz without user permission (for both apps and webpages)

should not be possible to read any phone sensors without permission!

@Capira since you're so readily fixing things based on comments (awesome), here's another one.

You write "To prevent your browser from accessing your Device Orientation use NoScript." under the Network Scan section. Looks like copy / pasta.

Thanks for the Feedback! Fixed. ;)

Nice, thanks!

Amazing project!

After checking out the demo, it was scary to realize that websites can access an unexpectedly large amount of information about me.

So I installed Tor with the Noscript addon and the demo was not able to access any details at all. Well it did show my ISP and hardware details, but it was wrong.

This should be the default setup in a browser, Tor+Noscript.

The issues of constant captcha harassment and slow browsing speed using this setup need to be addressed. Slow browsing can be addressed by adding more nodes to route traffic. Regarding the captcha issue though, I am not sure about a good working solution.

>This should be the default setup in a browser, Tor+Noscript.

That's just unrealistic for most people, especially the TOR recommendation. Script blockers are troublesome even for tech savvy individuals, though I highly recommend blocking scripts for anyone who can "handle it". Gorhill's work (via uBlock Origin) provides a much more realistic way of disabling these kinds of malicious and/or invasive actions. Not sure if they're currently blocked, but he's made strides to block crapware and its kin, so this might not be so far off.

GPU: Vendor: Google Inc.

I got:

GPU: Vendor: Mozilla

cpu Linux x86_64

I didn't like that it was able to obtain my battery information. I discovered that this can be prevented in Firefox by setting dom.battery.enabled to "false" under about:config.

I didn't even realize the website was trying to obtain information because I don't use JS. It's ridiculous how much of a liability it is.

Is that on a mobile or desktop browser? It didn't have any info about my battery (iPhone 6)

Desktop Firefox. Not all browsers expose battery information[1]. Of course Firefox for iOS isn't really Firefox.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Navigator/b...

Some interesting things could happen if you where to start collecting every user's visit with a timestamp.

For example, ip address + timestamp + even a rough geo ip location could reveal travel patterns of users simply visiting your site.

Let's say those travel patterns include visits to nations less friendly to the US and you just might find out some details about someone ( or at least a certain IP ) they really wouldn't want you to know.

All you need is a web server and a little bit of javascript.

I'm not quite sure what this is meant to prove - all of what was revealed for me seems tame. Is it meant to scare users to disable JS?

Yes. And WebGL, and WebRTC.

Interestingly after visiting this page the default language on the Google Accounts sign-in had been changed to German.

The network scanning thing is both scaring and revealing. I never thought about that, thanks!

While visiting this page it tryed to open my router's admin panel. Anyone see this too?

There is literally a "network scan" section of the page that informs you it's scanning devices in your local network.

That's why you see webrtc requests to internal IP addresses. I do not see any requests to the router admin panel, and in fact it looks like the code specifically avoids sending a webRTC request to the gateway IP (x.y.z.1)

I am a hacker. How the hell does it know my local IP? Via WebRTC I presume?


Thanks for the nice demonstration. Looks like the speed test is running of a very random source image that might not be yours. If it isn't, you might want to look at hosting your own image for it.

I visited the page once on my Android using my HN app's built-in webkit browser, where it displayed some interesting stats like the location, the battery level, ISP, etc.

I opened the same link in Firefox Android with uBlock Origin installed, and got no hardware stats other than the kernel, no software stats, and no IP.

My takeaway from this is to NEVER use an app that uses Webkit.

I'm not sure if that was the intended purpose, but thanks for the eye-opener anyway!

> My takeaway from this is to NEVER use an app that uses Webkit

You're talking about WebKit on android, which was ported there by Google.

The original WebKit (as WebKit, not khtml) browser (Safari) doesn't leak all that information, so my take away would be not to trust a company obsessed with collecting private information and pushing all things into a browser, to have the best track record when it comes to protecting your privacy.

My takeaway would've been; use some sort of protection, like NoScript, uBlock, etc. The choice of web-browser engine seems less important when you globally allow javascript or other similar capabilities.

This is true, but on Android this is not possible on Chrome or the default webkit browser, as Google doesn't allow extensions. So my point still stands.

I would be interested in reading about how all of these are detected.

I know how some of them are, but not all. I predict others are in this boat, and interested in learning!

Look at the code (you know where to get that right :-)), its split into scrips for each of the tests.

> To prevent your browser from leaking information about your software use NoScript.

Surely you can source this information (OS and browser) from the User Agent?

Between NoScript and Random Agent Spoofer, nothing is correct except my resolution and a couple of plug-ins (like Flash and VLC).

Shutting NoScript off doesn't make too much difference, and I don't think RAS does that much (some sites seem to see through it), so it must be one of the other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).

Ironically, not using those plugins is a fingerprint in and of itself.

And what are methods to prevent browser from leaking all this information? I presume browsing in private mode is not a solution.

Shut off javascript.

Yes, this will reveal sites that serve broken pages that require javascript to render usually static content (skipping progressive enhancement is lazy and unprofessional). Are those sites worth the expense of everyone learning more fingerprintable data about your and your browser?

The WebRTC scan that others are complaining about is another good reason to shut off javascript. Are other sites doing similar scans, perhaps in a less obvious way? It is insane that random pages even have that ability; it's a huge attack surface that is mostly unknown and unexplored.

> private mode

That's mostly about not leaving data trails on the local device (hence the "porn mode" nickname).

It breaks all the single page apps. Javascript isn't the problem. Its browsers features like canvas, webrtc, etc.

> (skipping progressive enhancement is lazy and unprofessional)

Single page apps are definitely in the "lazy" category. If you send a page without content, that page is broken. You should be prioritizing the safety of your readers.

If developing proper pages is difficult with your develop0ment tools or methods, then you should find a different method - ideally something that handles the progressive enhancement for you.

I started to add some information/advice to every section on how to prevent the regarding type leak.

It would be great to hear your suggestions on how to improve both the advices!

There should be some flags in the browser configuration to turn off or lie about some of these things. Or NoScript.

Unfortunately that means disabling JavaScript.

Something about visiting the page seems to knock my Android phone off of Verizon's data network for a short period.

Holy crap, I'm glad I have noscript running and only allow the minimal JS I need to run on pages I somewhat trust.

Yes, it's the first addon I install on a new browser. Can't recommend it enough.

This inspired me the idea of creating a NoScript label for web sites that don't use javascript. It could be an information passed in the page header as a specification (contract). I have a few web sites without javascript.

Is NoScript supported by iOS safari ?

I assume you're talking about the <noscript> element (as opposed to something to do with the browser extension with a similar name)?

In which case, it is definitely worth making websites as usable as possible without JavaScript. <noscript> is supported by pretty much all web browsers, including iOS Safari.

Even if your website relies heavily on JavaScript, it is still a good idea to let non-JavaScript users know via a <noscript> element that JavaScript is required, instead of having the page look like a broken mess (or a blank screen).

Do also keep in mind that search engines (generally) do not run JavaScript, so if you want page content to be indexed, it has to be present on the page as it is rendered without JavaScript. <noscript> may help achieve that.

Seeing all the "This site requires JavaScript, please turn on JavaScript and refresh the page" messages I get makes me think of putting all your content in <noscript>s, and then adding a script that writes "For your privacy and security, this site requires that your browser not run JavaScript. Please disable JavaScript and refresh the page." followed by links to sites explaining the bad side of JS-on-by-default and how to turn it off with things like NoScript.

Maybe it'll take off and people will understand, maybe not. But it's something worth pondering.

I think you should be able to achieve that already via the Content Security Policy headers: https://developer.mozilla.org/en-US/docs/Web/Security/CSP

CSP is widely supported by now, including iOS webkit: http://caniuse.com/#feat=contentsecuritypolicy

Safari on iOS doesn't leak anything out of the ordinary for me. The geolocation was way off, identifying my iPhone as being in London (likely due to me accessing the page over a mobile data connection).

Right, the Google Geolocation API is very inaccurate on mobile data connection.

You should also be able to detect Retina/normal DPI, in addition to the reported resolution. A bit of "responsive" CSS and checking what was selected using JS should be enough?

Heh, the facebook like detection thing failed utterly. Not sure how, or why. But, I am not even logged into facebook on this computer - and never have been. :-)

But a very cool hack.

Thanks for the feedback! Should be fixed now.

Is there a noscript equivalent for other browsers apart from firefox? Most of the recommendations were "noscript". And I had a lot of info leaking.

The closest and similar to noscript i can think of is "uMatrix"

Well, back to using noscript again since browsers are creeping closer and closer to arbitrary code execution platforms.

Guess im adding ScriptSafe to my list of Chrome plugins (Adblock, Ghostery, HTTPS everywhere, Random Agent Spoofer),

Great project, actually seeing some pretty interesting stuff I didn't know was available. Thanks for this

Got my location wrong by about 50 miles

If I remember correctly, geoIP traces get your location accurate to your nearest neighborhood Fios box ( or similar ). In cities there's usually one for every few blocks.

mine was accurate to about 30 meters, on a wired connection.

I'm impressed that Safari on iOS apparently doesn't leak image metadata when you upload.

So, the network scan gives me about 40 extra devices in my network. Should I be worried?

I guess I'll stick to Opera 12 since it does so much better than firefox.

Aren't you missing details about the screen resolution and ppi?

I had no idea this laptop had a GPU! Thanks!

glad to see that I leaked precisely zero of those.

Thanks NoScript


> Your Device is propably laying on a Table

I'm one of those heathens that actually puts the desktop tower on top of the desk. Got me.

Your desktop has a gyroscope?

No, and the website reported as such. I guess if you have no motion/orientation sensors of any kind it just guesses it's on a table.

Sorry for the confusion. Don't take this interpretation too serious. It just for fun ;)

Odd. I went there using a desktop and it didn't report that my device was on a table.

Me too, my tower is in fact "laying" not standing, on a table. Just as an aside, this declaration should read. Your Device is "probably", not propably.

Ok, so it doesn't know anything but my OS and screen resolution. Seems good to me, considering I'm not using NoScript and the like.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact