Someone mentioned this as well in another comment. Turns out most of this could’ve been done as an extension after all :-)
edit: actually, wouldn’t you still need to override the global you’d like to instrument? At that point, the toString of the modified function would leak your hook.
Thanks for sharing some examples! Someone shared a similar project in the other thread. I didn’t realize this at the time of writing haha.
FWIW I still think modifying the browser has some positives wrt stealth and hooking out of process frames (could be wrong on the second part, haven’t actually tested!)
Still good to know though will leave a note in the article :-)
Yeah, there's a pretty overwhelming amount of browser APIs and functionality which isn't always (well-)documented to learn about. If I recall correctly Proxies wouldn't be detectable (seems to be supported by https://exploringjs.com/es6/ch_proxies.html#sec_detect-proxi...) so long as your injected content script runs first (otherwise other code could presumably override the Proxy constructor). You should also be able to hook any embedded frames by setting `target: { ..., allFrames: true }`.
To note, there are undocumented detections to even Proxys, for example using `in` operator in v8 (such as `proxiedFunc in 1` for some proxied function). Really cool to see a project like this.
How do you use `in` in v8 to detect proxies? I assume its a difference in the exception, but the message and the cause were the same in both direct and proxied `x in 1`.
Ooh nice, I haven’t seen this project! I actually tried attempting this as an extension at first but wasn’t able to override page window functions. I’m curious to know how they accomplished this. (edit: I see that I missed the chrome.scripting API facepalm)
Thank you for sharing :)
FWIW I still think a custom browser approach has some benefits (stealth and executing in out of process iframes. could be wrong on the second part, haven’t actually tested!)
Sadly, spoofing GPU vendor & renderer can be an even larger flag since they can hash the resulting image of the canvas to compare it with a database of collected fingerprints[0]
Apple does it because they don’t have a vested financial interest in internet-wide tracking.
Google does.
And while Mozilla does too because the vast majority of their funding comes from Google, it’s more pertinent that they don’t have the market share to pull this off. Firefox would just stop working on major websites if they did this.
Doesn't that just move the goal post though? Instead of using your GPU vendor for the fingerprint they can just hash the output canvas after they a bunch of odd rendering calls, getting a hash from the quirks of your graphics driver and GPU hardware.
Most anti-bots will send other browser characteristics as well and can detect if one is lying about which browser, and even which version they're using based on which APIs and properties are/aren't available.
