Skip to main content

Posts

Showing posts from January, 2019

Hardware fingerprinting with a web browser

While I was updating jQuery Fancy File Uploader to support recording video and audio from webcams, microphones, and other media sources, I ran into an interesting web browser security related problem that appears to affect all major web browsers that support the MediaRecorder API.

From the Developer Tools console of your favorite web browser, run this one-liner:
navigator.mediaDevices.enumerateDevices().then(function(devices) { console.log(devices); }); Then go to another page on the same domain and repeat the process. Try it in a new tab. As of this date, in both Firefox and Chrome (untested in Edge), it looks like the 'deviceId' of each attached hardware audio/video device remains static across a domain during a single browser session. Since a lot of people leave their web browsers open for long periods of time, this information can be used to track a user's activity across a single domain without using cookies or localStorage. The user is also not alerted to the …