Show HN: What every browser knows about you

Not sure why battery is exposed; I guess that&#x27;s the result of making browsers more like OSes.<p>The only really annoying thing is the idiotic WebRTC settings. Their love for &quot;data channels&quot; with zero prompts, despite having no legitimate uses[1], ignores your proxy settings. This should be fixed.<p>1: I asked someone involved with WebRTC. They suggested &quot;maybe a page wants to communicate with your fridge directly&quot; as a serious use of WebRTC data channels.

So, literally all this said was:<p>- &quot;MacIntel&quot;<p>- some stuff from my User Agent string (changing it to IE11 made it think I&#x27;m on Windows 8)<p>- my public IP, network provider and approx. downstream speed.<p>I don&#x27;t use Facebook or Google so I don&#x27;t know if those things would have worked.<p>None of the network scanning worked, it didn&#x27;t use the geolocation stuff, etc.<p>If Chrome&#x2F;Firefox&#x2F;IE do allow access to all&#x2F;some of those things without prompting, jesus titty fucking christ.<p>All of you claiming &quot;Safari is the new IE6&quot; need to perhaps pay attention.<p>Google has a vested interest in pushing browser technologies regardless the cost to privacy or user security - their ChromeOS devices <i>depend</i> on a world where web apps can do everything.

<a href="http:&#x2F;&#x2F;webkay.robinlinus.com&#x2F;scripts&#x2F;social-media.js" rel="nofollow">http:&#x2F;&#x2F;webkay.robinlinus.com&#x2F;scripts&#x2F;social-media.js</a> that&#x27;s a cool trick, thanks for this!

This is a perfect example of what an attacker could do with your browser. If you can get a user&#x27;s browser to run code, as this site demonstrates there is a lot of information you can find. And coupled with a Cross-Site Request Forgery, you could get access to a bunch of things. If your home router has a vulnerability that bypasses authentication and allows you to execute commands on the router or similar (which is not uncommon, home router security is awful), you could get a foothold into the network just by sending someone a email with links that they are likely to click on.<p>Note to the author: I am not entirely sure how the WebRTC connection gets you a local IP, it seems to be connecting to stun:stun.services.mozilla.com. Anyway,that grabs the wrong local address for me, and gets the IP of my docker0 interface, perhaps it could grab more IPs, or is it just displaying the first one it finds?<p>Edit: Oh, the getIP function just calls the callback on the first candidate it finds.

The speedtest <a href="http:&#x2F;&#x2F;webkay.robinlinus.com&#x2F;scripts&#x2F;speedtest.js" rel="nofollow">http:&#x2F;&#x2F;webkay.robinlinus.com&#x2F;scripts&#x2F;speedtest.js</a> downloads a 5mb file from <a href="http:&#x2F;&#x2F;www.kenrockwell.com&#x2F;contax&#x2F;images&#x2F;g2&#x2F;examples&#x2F;31120037-5mb.jpg" rel="nofollow">http:&#x2F;&#x2F;www.kenrockwell.com&#x2F;contax&#x2F;images&#x2F;g2&#x2F;examples&#x2F;3112003...</a>.<p>You might want to change that to something on a big company CDN to avoid killing kenrockwell.com&#x27;s server.

Scanning the visitor&#x27;s &#x2F;24 without notice, warning, or opportunity to opt out is a dick move. Our IDS probably just lit up like a Christmas tree.

Someone should make a smartphone app version of this to demonstrate what is accessible via the app permissions that most people just blindly accept at install time.<p>&quot;Here are all the nudie pics on your phone as identified by our nudity detection algorithm. Here is a list of your probable work and family contacts. Here is the MMS that you really don&#x27;t want this app to send on your behalf!&quot;

I didn&#x27;t realize that browser would spill my local IP address, or might be able to scan local devices in the same network. Shouldn&#x27;t browsers have settings to enable&#x2F;disable access to device sensors or data?

While it hardly surprises any of HN audience, it&#x27;s a GREAT showcase for a less technical audience.<p>I see that you removed automatic network scanning due to a comment here; but since it&#x27;s an educational project, I think it would be valuable to add a comment that explains that a malicious website could get that info without consent.

I see NoScript being recommended but if you&#x27;re not using Firefox this isn&#x27;t an option. Lukily both uBlock[1] and uMatrix[2] are cross platform and will work on most (any?) Chromium based browsers as well as Firefox. All instances of uBlock in this post are referring to uBlock Origin[1].<p>In addition to NoScript both uBlock[1] and uMatrix[2] can be configured to block javascript (you can block both 3rd and 1st party javascript with either). In fact even on Firefox I would recommend trying uMatrix instead of NoScript because of the interface but my opinion is probably biased since I&#x27;ve been using it for some time now. You can keep NoScript enabled in this situation just make sure to whitelist TLD&#x27;s and allow scripts globally (also remove the built in whitelist while you&#x27;re at it).<p>If you want a simpler solution which offers the best bang for your buck then using uBlock in medium mode[3] is what I would recommend. This will block 3rd-party scripts and iframes (globally). Any page breakage that occurs as a result can be very easily handled by setting a noop for scripts and&#x2F;or iframes for that pages scope. You can also block 1st party scripts if you really want to but it will likely cause a lot more stuff to break. uBlock can also enable browser settings that will prevent WebRTC leakage under certain circumstances.<p>On a side note if you&#x27;re using even just uBlock then that will likely remove the need for running additional privacy extensions (save ones that deal with cookies) like Disconnect which also block network requests (you can use the Disconnect lists from within uBlock). uMatrix does give you the control over cookies.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uMatrix" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uMatrix</a><p>[3] <a href="https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock&#x2F;wiki&#x2F;Blocking-mode:-medium-mode" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock&#x2F;wiki&#x2F;Blocking-mode:-medium...</a>

Not much of interest showed up for me. Monitor resolution, browser ID, geo location, OS and public IP.<p>My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in both IE11 and Edge (both of which I never use), and I got pretty much the same result. Firefox and Epiphany on Gentoo Linux also failed to startle me.<p>I&#x27;d like to see a screenshot of a &quot;worst case scenario&quot;.

&gt; Geo Coordinates: [lat,lng about 90 miles from the correct location]<p>I find that error hilarious, because I setup correct in-addr.arpa <i>and</i> ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name that has an accurate LOC record. My IP is two DNS queries away from my location (~10m precision), yet most of the time everyone uses these geoip databases instead of LOC.

OS X 10.11.4:<p>Safari 9.1 : Minimal HW&#x2F;SW detection, No social media leak, No network scan (after click)<p>Safari 9.1.1 (Tech Preview) : Minimal HW&#x2F;SW detection, No social media leak, No network scan (after click)<p>Chrome 49.0.2623.110 : Full HW&#x2F;SW detection, Social media login detected, Network scanning (after click)<p>Firefox 45.0.1 : Full HW&#x2F;SW detection, Social media login detected, Network scanning (after click)

This shows just how powerful JavaScript can be --- without it, the site shows nothing.<p>...which is not entirely correct, since your user agent, request headers, and IP are still visible. There&#x27;s plenty of other sites which will show you those without requiring any client-side scripting. Here&#x27;s one just from a quick Google search:<p><a href="http:&#x2F;&#x2F;www.xhaus.com&#x2F;headers" rel="nofollow">http:&#x2F;&#x2F;www.xhaus.com&#x2F;headers</a><p>(Interestingly, you can see GoogleBot&#x27;s IP and request headers if you view Google&#x27;s cached version of the page.)

I found it interesting that it could read my battery level and discharging time. As for device orientation, I think I&#x27;ve seen that before but I had forgotten about it being possible.

&quot;What _every browser_ ...&quot;<p>How about text-only browsers?<p>How about homemade &quot;browsers&quot; that are powered by netcat?<p>As one informal poll appeared to show, many users questioned on the streets of an American city did not even know what a &quot;browser&quot; was.<p>Most times I only want to retrieve files (download) via some daemon running on some remote computer and then view them on my computer. That includes text, hypertext, or binary. Pretty much the same as in 1993.<p>I rarely use a graphical browser to do this. It is not needed.<p>Instead, today, unlike 1993, I am using a graphical &quot;browser&quot; to _play video_ after I download it (no internet connection). But playing a video file is not &quot;browsing&quot;. Something is not right.<p>Seems like the www took a wrong turn.

Surprised the website didn&#x27;t list installed fonts anywhere. Fonts, alongside with other device details, can be a great way to fingerprint a browser&#x2F;user.<p>Edit: Actually, I believe you need Flash or a Java applet to actually get a list of fonts installed. But you can do other, slow, iterative approaches via JS.

The social media thing is cool, I didn&#x27;t know that trick of using the favicon.ico img under the login of a site to see if the image will load or not. That&#x27;s pretty nifty

The clickjacking is the only one that surprised me. Very unnerving. Need to read more about it.

For some reason, this worked really badly when I tried it. About the only things it figured out were that I run Linux on an x86_64 system and use Firefox. Well, it did get my ISP right, so that pretty much limits my location to a single country. Even my display resolution was not right. It did find quite a few devices on my network. All of them non-existent, though.

If you try this with your iPhone it activates your gyroscope and says &quot;Your Device is probably in your Hands.&quot;<p>It knows too much

@Capira since you&#x27;re so readily fixing things based on comments (awesome), here&#x27;s another one.<p>You write <i>&quot;To prevent your browser from accessing your Device Orientation use NoScript.&quot;</i> under the Network Scan section. Looks like copy &#x2F; pasta.

After checking out the demo, it was scary to realize that websites can access an unexpectedly large amount of information about me.<p>So I installed Tor with the Noscript addon and the demo was not able to access any details at all. Well it did show my ISP and hardware details, but it was wrong.<p>This should be the default setup in a browser, Tor+Noscript.<p>The issues of constant captcha harassment and slow browsing speed using this setup need to be addressed. Slow browsing can be addressed by adding more nodes to route traffic. Regarding the captcha issue though, I am not sure about a good working solution.

GPU: Vendor: Google Inc.

I didn&#x27;t like that it was able to obtain my battery information. I discovered that this can be prevented in Firefox by setting dom.battery.enabled to &quot;false&quot; under about:config.

Some interesting things could happen if you where to start collecting every user&#x27;s visit with a timestamp.<p>For example, ip address + timestamp + even a rough geo ip location could reveal travel patterns of users simply visiting your site.<p>Let&#x27;s say those travel patterns include visits to nations less friendly to the US and you just might find out some details about someone ( or at least a certain IP ) they really wouldn&#x27;t want you to know.<p>All you need is a web server and a little bit of javascript.

I&#x27;m not quite sure what this is meant to prove - all of what was revealed for me seems tame. Is it meant to scare users to disable JS?

Interestingly after visiting this page the default language on the Google Accounts sign-in had been changed to German.

The network scanning thing is both scaring and revealing. I never thought about that, thanks!

While visiting this page it tryed to open my router&#x27;s admin panel. Anyone see this too?

I am a hacker. How the hell does it know my local IP? Via WebRTC I presume?

Thanks for the nice demonstration. Looks like the speed test is running of a very random source image that might not be yours. If it isn&#x27;t, you might want to look at hosting your own image for it.

I visited the page once on my Android using my HN app&#x27;s built-in webkit browser, where it displayed some interesting stats like the location, the battery level, ISP, etc.<p>I opened the same link in Firefox Android with uBlock Origin installed, and got no hardware stats other than the kernel, no software stats, and no IP.<p>My takeaway from this is to NEVER use an app that uses Webkit.<p>I&#x27;m not sure if that was the intended purpose, but thanks for the eye-opener anyway!

I would be interested in reading about how all of these are detected.<p>I know how some of them are, but not all. I predict others are in this boat, and interested in learning!

&gt; To prevent your browser from leaking information about your software use NoScript.<p>Surely you can source this information (OS and browser) from the User Agent?

Between NoScript and Random Agent Spoofer, nothing is correct except my resolution and a couple of plug-ins (like Flash and VLC).<p>Shutting NoScript off doesn&#x27;t make too much difference, and I don&#x27;t think RAS does <i>that</i> much (some sites seem to see through it), so it must be one of the other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).

And what are methods to prevent browser from leaking all this information? I presume browsing in private mode is not a solution.

Something about visiting the page seems to knock my Android phone off of Verizon&#x27;s data network for a short period.

Holy crap, I&#x27;m glad I have noscript running and only allow the minimal JS I need to run on pages I somewhat trust.

<a href="https:&#x2F;&#x2F;panopticlick.eff.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;panopticlick.eff.org&#x2F;</a>

This inspired me the idea of creating a NoScript label for web sites that don&#x27;t use javascript. It could be an information passed in the page header as a specification (contract). I have a few web sites without javascript.<p>Is NoScript supported by iOS safari ?

Safari on iOS doesn&#x27;t leak anything out of the ordinary for me. The geolocation was way off, identifying my iPhone as being in London (likely due to me accessing the page over a mobile data connection).

You should also be able to detect Retina&#x2F;normal DPI, in addition to the reported resolution. A bit of &quot;responsive&quot; CSS and checking what was selected using JS should be enough?

Heh, the facebook like detection thing failed utterly. Not sure how, or why. But, I am not even logged into facebook on this computer - and never have been. :-)<p>But a very cool hack.

Is there a noscript equivalent for other browsers apart from firefox? Most of the recommendations were &quot;noscript&quot;. And I had a lot of info leaking.

Well, back to using noscript again since browsers are creeping closer and closer to arbitrary code execution platforms.

Guess im adding ScriptSafe to my list of Chrome plugins (Adblock, Ghostery, HTTPS everywhere, Random Agent Spoofer),

Great project, actually seeing some pretty interesting stuff I didn&#x27;t know was available. Thanks for this

Got my location wrong by about 50 miles

I&#x27;m impressed that Safari on iOS apparently doesn&#x27;t leak image metadata when you upload.

So, the network scan gives me about 40 extra devices in my network. Should I be worried?

I guess I&#x27;ll stick to Opera 12 since it does so much better than firefox.

Aren&#x27;t you missing details about the screen resolution and ppi?

I had no idea this laptop had a GPU! Thanks!

glad to see that I leaked precisely zero of those.<p>Thanks NoScript

Vvv

&gt; Your Device is propably laying on a Table<p>I&#x27;m one of those heathens that actually puts the desktop tower on top of the desk. Got me.

Ok, so it doesn&#x27;t know anything but my OS and screen resolution. Seems good to me, considering I&#x27;m not using NoScript and the like.