Recently made this extension and interested in getting some feedback on it.
Vytal can Spoof your timezone, locale, geolocation and user agent. This data can be used to track you or reveal your location.
Most extensions that provide anti-fingerprinting features rely on content scripts to inject script tags into webpages. There are many limitations to script tag injections which you can read about here: https://palant.info/2020/12/10/how-anti-fingerprinting-exten...
Vytal utilizes the chrome.debugger API to spoof this data. This allows the data to be spoofed in frames, web workers and during the initial loading of a website. It also makes the spoofing completely undetectable.
You can test and compare Vytal and other extensions on https://vytal.io
Unfortunately it doesn't work on Firefox since Firefox doesn't support the debugger API. Works on Brave tho.
> It also makes the spoofing completely undetectable.
It's my understanding that the usage of the debugger is detectable by scripts running on the page. I've actually come across content websites that will refuse to activate their features (play video) if the debugger is active.
Similarly on Android some video streaming apps will refuse to load and play their content catalog if USB debugging is enabled.
A javascript file, whose name changes with every refresh, is loaded. The script calls the `debugger` keyword, which only functions when you have DevTools open.
Meanwhile, a tickers is running. If a tick takes too long, it interprets that as the debugger having been called.
There are a bunch of sophisticated ways to obfuscate it, but it basically boils down to:
<script>
setInterval(function() {
try {
let before = new Date().getTime();
// This will pause the program execution if debugging is enabled.
// If debugging isn't enabled this statement is a no-op.
debugger;
let after = new Date().getTime();
// Detect if the program was paused or not.
if (after - before > 0.01) {
// > 10ms difference? The program was (most likely) paused by the debugger.
document.body.innerHTML = "<h1>Debugging started</h1>";
}
} catch(e) {}
}, 1000);
</script>
There are some other ways to detect it by implementing various prototype methods and continually logging the object to the console. The methods are only invoked if the dev console is opened.
I'm able to get it to trigger on about ~10-20% of page reloads with your extension activated. Never when it isn't. Maybe it's just a matter of tuning the interval and detection threshold?
I don’t have a link offhand but I’ve seen this code while debugging some pirate sports streams. The next upcoming one to check would be an NBA game from “nba bite” (Google it, it’s the offshoot of the banned sports streaming subreddits.)
I think you’re probably right that it wouldn’t detect presence of your extension, since that code runs in its own context and I assume doesn’t actually call the debugger. If your extension injects a script into the page, then that could be detected with this technique or similar.
I'm commenting here both to remind myself to check back and try this out when I'm not on mobile, and to thank you for building this- at first glance it looks good.
Is it safe to do? I mean I want to stop this message for Vytal only, because I know that it uses debugger API. But I would want to know if tomorrow my adblocker starts to use debugger API.
Any existing extension would have to explicitly declare the appropriate permission for using the debugger API. Chrome automatically disables extensions that add new permissions until you review them.
Many (most?) VPN mechanisms don't entirely remove access to the other routes from apps that manually request them, so even if an app isn't able to use something akin to "location services" on your device it might still easily be able to get access to your other IP addresses by sending requests with sockets manually bound to specific interfaces, and even might choose to lower the priority of information learned using interfaces that are clearly tunnel devices instead of network cards.
Also known as split tunnel, this can be used by corporate VPN solutions to lower the amount of network traffic entering a data center (so you don’t overload your undersized pipes)
No, I don't mean that. That's when you purposefully set your routing table to split some traffic to different paths. The premise here is that even if all of your traffic is supposedly going over a VPN, an app can often opt out of that and do whatever it wants.
I thought the complaint was that the browser was figuring it out directly and then exposing it, such as via the browser's location API, not that the website was figuring it out using non-location network mechanisms provided by the browser.
(FWIW, a website that is given media recording privileges can definitely do that, though, using WebRTC. If you don't have that privilege then you can still use the WebRTC API but it doesn't return alternative candidates. But I also don't think that is what they meant.)
There are services that wardrive around mapping locations of WiFi access points. Your laptop periodically will phone home with your nearby Wi-Fi MAC addresses (BSSIDs) to ask where they were detected.
By the way, if you've ever noticed a brief packet drop or latency spike (usually a few 100s of ms) while pinging a server from your Mac, it might be because your device is doing this.
When Location Services is on (which it is by default), macOS will periodically switch your wireless card to monitor mode to find those nearby SSIDs. That briefly interrupts normal network traffic.
IIRC, it does this more often when Find My.app is turned on.
You can disable Location Services in: System Preferences > Security & Privacy > Location Services
firefox has something called the mozilla location provider, which maps wifi access points to locations, which is similar to what google maps uses when you have gps disabled on mobile
Go to about:config () and set geo.enabled to false.
: if you're on Android, you'll need either an unstable version (Beta, Nightly) or a fork (Fennec from F-Droid) of Firefox to get access to that page because Mozilla decided users of the standard distribution can't be trusted with these settings.
I dont want to dislike firefox, but I am starting to find new reasons to resent it. It seems like every other week there is something new I'm finding out about that gives me pause before running updates. Every new 'feature' brings me further and further away from feeling like it's a browser I can trust to be just a browser. Something has to change. Pocket, Allo, still taking the google allowance, absolutely squandering their endowments on salary, too much focus on social signaling and politics. Just be a browser, please.
I won't be going to anything chrome-like, but I do see myself spending a lot more time using and sponsoring qutebrowser, or simply passively consuming offline.
If wanting a browser to be just a browser is petty, then I am the pettiest. If you havent tried qutebrowser yet, give it a shot. When I say just a browser, this hits it pretty close, if you ask me.
Vim mode is pretty neat. It seems like the whole app is kind of just like a python gui app wrapper around webkit? Looks like it would be pretty good if I was using linux and a tiling wm as my main thing but these days I'm pretty bound to Windows for the type of development I'm working on.
Most of my linux desktop usage these days is stuff like writing scrapers in cloud containers that need a real browser that I can control using selenium or puppeteer or whatever though, is it supporting anything like that? If this works on Windows too that would be a bonus.
I don't know if it supports that type of workflow yet, but I hope something fills that void soon. It's a very real need with a clearly defined utility.
Vytal can Spoof your timezone, locale, geolocation and user agent. This data can be used to track you or reveal your location.
Most extensions that provide anti-fingerprinting features rely on content scripts to inject script tags into webpages. There are many limitations to script tag injections which you can read about here: https://palant.info/2020/12/10/how-anti-fingerprinting-exten...
Vytal utilizes the chrome.debugger API to spoof this data. This allows the data to be spoofed in frames, web workers and during the initial loading of a website. It also makes the spoofing completely undetectable.
You can test and compare Vytal and other extensions on https://vytal.io
Unfortunately it doesn't work on Firefox since Firefox doesn't support the debugger API. Works on Brave tho.