MOAFP: The Mother of All Fingerprints (Part 1)

Background

I've watched device printing evolve over the last decade, and for the most part, there have been relatively few breakthroughs. For every new technique that moves printing forward, we seem to lose multiples due to privacy concerns. There comes a time when we need to do more than thinking out of the box, in order to break free we must burn the box and dance on its ashes.

Typically in the device fingerprint world, one would query a number of common navigator objects and from that attempt to determine if the device was one used by the account holder in the past. I liken this to attempting to uniquely identify a car, but you are saddled by only querying a few parts of the car. For example, color, number of wheels, number of doors. On the surface, it works until you get two sports cars that are red. A better technique is to take all the data points accessible and log those, not all data points, of course, would be applicable such as tint level of the windows. For cars with no tint, it would be a waste to collect a value of zero, so for those cars, it's simply not logged.

The technique presented is similar to the above idea, instead of collecting only a handful of common elements, collect everything offered. We have been saddled with grabbing a subset of navigator values which limit the amount of entropy we can pick up. This was mostly done to avoid the complexity around rule-based antifraud systems, machine learning techniques don't suffer from the same limitations. My solution to this is to walk the navigator object and retrieve values. This as you will see yields far more entropy than simply querying individual properties.

How It Works

The javascript code presented is straightforward. The function below grabs the navigator object and walks each available property and the associated values. We skip properties that return objects, such as screen settings, for now, we'll cover that in part 2. What you will notice is that browser families tend to have one or more unique properties, properties may changes across versions as features are added and removed, and the order of the properties helps identify the browser family. So even if an attacker spoof the values, the order gives away the fact that the spoof was done. As far as I am aware, there are no add-ins that let you alter every value or change the order. This would require a malicious actor to do some work to replicate the device fingerprint. The output of this function is a string containing the property and value in the form of property=value, with each entry delimited by the '|' character. The typical properties are as follows:

activeVRDisplays (Edge, Firefox)

appCodeName (Chrome, Edge, IE, iOS, Silk)

appMinorVersion (IE)

appName (Chrome, Edge, IE, iOS, Silk)

appVersion (Chrome, Edge, IE, iOS, Silk)

browserVersion (IE)

cookieEnabled (Firefox, IE, iOS, Silk)

cpuClass (IE)

doNotTrack (Chrome, Firefox, Silk)

hardwareConcurrency (Chrome, Edge, Silk)

language (Chrome, Edge, IE, iOS, Silk)

languages (Chrome)

maxTouchPoints (Chrome, Edge, IE, Silk)

msManipulationViewsEnabled (Edge)

msMaxTouchPoints (IE)

msPointerEnabled (IE)

onLine (Chrome, Edge, IE, iOS, Silk)

oscpu (Firefox)

platform (Chrome, Edge, IE, iOS, Silk)

pointerEnabled (Edge, IE)

product (Chrome, Edge, IE, iOS, Silk)

productSub (Chrome, Edge, Firefox, iOS, Silk)

standalone (iOS)

systemLanguage (IE)

userAgent (Chrome, Edge, IE, iOS, Silk)

userLanguage (IE)

vendor (Chrome, Edge, Firefox, IE, iOS, Silk)

vendorSub (Chrome, Edge, Firefox, iOS, Silk)

webdriver (Edge, IE, iOS)

Entropy Estimate: TBD, likely 33+

Code

The javascript function below enumerates all navigator properties with a fixed value. You may also download this code here:  fp_nav.zip.
Note: Depending on your output method you may need to URL encode the returned results. 

Validation

Unlike other code on the Internet we do everything possible to verify our code for you. In order to minimize problems and maximize compatibility this code has been verified with JSLint and has been extensively tested with over 1100 OS/Browser combinations using BrowserStack.

Reference

Navigator Object in javascript. How to determine all properties. (Aug 18, 2011). In StackOverflow. Retrieved September 22, 2017, from https://stackoverflow.com/questions/7101751/navigator-object-in-javascript-how-to-determine-all-properties/