Canvas | Spoofing 2D fingerprinting

Canvas spoofing is one of the most powerful tools of Kameleo.

Canvas is an HTML5 API which is used to draw graphics and animations on a web page via scripting in JavaScript. But apart from this, canvas can be used as additional entropy in web-browser’s fingerprinting and used for online tracking purposes.

The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers use different image processing engines, image export options, compression level, the final images may get different checksum even if they are pixel-identical. At the system level – operating systems have different fonts, they use different algorithms and settings for anti-aliasing and sub-pixel rendering.

Kameleo can simply override the way how the graphics are being drawn on the canvas. This way it can be very different. See the image below.

Kameleo-Canvas-NormalSpoofing-Compare.png

The problem with it is that it will be 100% unique (as you can see on browserleaks.com/canvas)

Intelligent Canvas Spoofing

Kameleo has a feature called Intelligent Canvas Spoofing. In this case, the canvas data will be derived from the Base Profile and the Machine Learning algorithm on browserleaks.com/canvas won’t see at all that the canvas is spoofed.

Kameleo-Canvas-IntelligentSpoofing-Compare.png

Canvas spoofing is one of the most powerful tools of Kameleo. Many websites using it to identify your device so there are a lot of privacy tools that help to hide it but none of them can spoof it like Kameleo.

Privacy tools may block canvas but then you will be suspicious and unique because not too many users are blocking it. Most of the sites may block you then.

Other tools may simply override how your canvas is drawn for every profile. This worked a couple of years ago but lately, Machine Learning Algorithms can realize those fake canvases. This is the case when you see 100% uniqueness on browserleaks.com/canvas.

In Kameleo there is an enhanced way of spoofing. The result is a natural-looking canvas that is still spoofed. Websites won’t see that you are changing your canvas but it will be different for all your virtual profiles.

An often asked question

Canvas is not spoofed. For 2 profiles I see the same hash on browserleaks.com/canvas

No worry, it is not a problem. It happens because you choose 2 really similar configurations. 2 very similar chromes will render canvas the same way. This is how the Machine Learning Algorithm can tell for example that you are using Chrome with Windows.

If you try different configurations:

  • macOS – Chrome
  • Windows 7 – Chrome
  • Windows 10 – Chrome

You should see they have totally different signatures. Exactly how it should be.

Kameleo-Canvas-99.xx_.png

If you see what browserleaks.com/canvas says: out of 474678 user agents 1131 will be the same. So 0.24% of the user agents are the same. If you want a unique fingerprint for sure you should disable the intelligent canvas spoofing but that may not guarantee a natural profile since the consistency will break due to the 100% unique canvas.

See video

Was this article helpful?
0 out of 0 found this helpful