Hardware Forensics

WebGL Fingerprinting

The Short Answer: WebGL Fingerprinting is a technique where websites force your browser to draw a hidden 3D image. Because every Graphics Card (GPU) draws pixels slightly differently, the resulting image creates a unique "Hardware Serial Number" that identifies you even if you use a VPN.

Check My Fingerprint →

The "Picasso" Analogy

Imagine asking 1,000 painters to draw the exact same sunflower. Even if you give them the same canvas and paint, no two paintings will be identical. One painter presses the brush harder; another mixes the yellow slightly darker.

Your Browser is the Painter. When a website asks Chrome to "Draw a Yellow Triangle," your specific GPU (NVIDIA vs AMD) renders that triangle with microscopic differences. These differences are your digital signature.

The Engineering Behind the Attack

There are two distinct vectors for this attack: Static Hardware Lookup and Dynamic Canvas Rendering.

Vector 1: The "Unmasked Renderer"

This is the simplest form. The browser explicitly exposes your graphics card model via the WEBGL_debug_renderer_info extension.

tracker.js - Vector 1

// 1. Initialize WebGL Context

const gl = canvas.getContext("webgl");

// 2. Unlock the Debug Extension

const debug = gl.getExtension("WEBGL_debug_renderer_info");

// 3. Extract the Hardware Name

const gpu = gl.getParameter(debug.UNMASKED_RENDERER_WEBGL);

console.log(gpu); // "Angle (NVIDIA GeForce RTX 4070 Ti...)"

Vector 2: Canvas Entropy (The Math)

This vector is harder to spoof. The script asks the browser to render a hidden 3D scene comprising text, shadows, and geometric shapes.

It then converts the pixel data into a Base64 string using the canvas.toDataURL() method.

Why is it unique?

1. Anti-Aliasing: Different GPUs use different algorithms to smooth jagged edges.
2. Floating Point Math: ARM processors (Apple Silicon) round decimals differently than x86 processors (Intel).
3. Driver Bugs: Specific versions of NVIDIA drivers introduce microscopic artifacts that act as identifiers.

The final image is hashed into a short string. This hash is persistent. Even if you change your IP Address, the math doesn't change.

Defense Strategy: Blocking vs. Spoofing

Option A: Blocking WebGL

Using tools like NoScript to completely disable WebGL.

❌ Breaks modern websites (Maps, Figma, Games).
❌ Makes you highly unique (1 in 10,000 users block WebGL).
❌ "The hole in the data is arguably a fingerprint itself."

Option B: Noise Injection (Spoofing)

Using privacy browsers like Tor or Incogniton to slightly alter the rendering.

✅ Websites still work perfectly.
✅ Your hash changes every session (Session Randomization).
✅ You blend in with the crowd of "Generic" users.

We built a scanner to check if your browser is currently leaking your Real Hardware ID.

Run Hardware Leak Test →

Also check for VPN Timezone Leaks

Technical References

[1] Mowery, Keaton, et al. "Pixel Perfect: Fingerprinting Canvas in HTML5." University of California, San Diego.
[2] Englehardt, Steven. "Online Tracking: A 1-million-site Measurement." Princeton Web Transparency Project.
[3] MDN Web Docs: WebGL API Specification.