31 comments

[ 66.5 ms ] story [ 2467 ms ] thread
Very interesting, thanks!

For the fingerprinting part, can you explain the difference with the JShelter browser extension (https://jshelter.org/)?

I checked as you did in your demo video with https://demo.fingerprint.com/playground (using JShelter in Firefox). It produces a fingerprint detector report, like so :

{

    "fpd_evaluation_statistics": [
        {
            "title": "Navigator.prototype.plugins",
            "type": "resource",
            "resource": "get",
            "group": "BrowserProperties",
            "weight": 0,
            "accesses": 0
        },
        {
            "title": "MediaDevices.prototype.enumerateDevices",
            "type": "resource",
            "resource": "call",
            "group": "BrowserProperties",
            "weight": 1,
            "accesses": 2
        },
        [...]
}

However, it appears there is no way to display what was actually produced by the browser.

Was this the reason you had to build your own browser? Or is it possible to extend JShelter to do the same?

Most of my job is reverse engineering a major website builder company's code so we can leverage their undocumented features. It's often a difficult job but your project could make it easier. I'm sure there are others out there that will find this useful.
Not to comment on the rest of article or the author's goals, but it's absolutely possible to use a content script (dynamically injected into the `main` world, as opposed to the default `isolated`, for example: https://github.com/tbrockman/browser-extension-for-opentelem...) and Proxy's (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...) to hook (most? if not all) Javascript being executed in the webpage transparently.

Which for some functionality would have been a bit more portable and involved less effort.

You can just use Proxy to get around toString shenanigans and prevent any detection whatsoever.
no you cannot since you can throw an exception and your proxy will be leaked leading to a detection.
How are you gonna throw an error inside Array.prototype.push?
Very cool, thanks for sharing. I would love to see this show up as an OSS project. I know a few people who would likely enjoy being able to contribute if that's something you'd be looking for.
feature request: allow setting breakpoints without having obfuscator debugger statement loops get in the way
Interesting tool. Would love to contribute
resworb nwo ym detnaw syawla ev'i dna reenigne esrever a m'I
.ƨbɿɒwʞɔɒd ɘɿɒ ƨɿɘɟɟɘl ɿuoY
This is neat but it also makes me uncomfortable to see just how much fingerprinting is done these days. TikTok is creepy but I'm sure they aren't the worst.
This is such an eye opening, and really interesting. It reminded me of projects like XprivacyLua that "expose" the different calls and request from android apps. Great work!
Neat investigation but I didn’t totally follow how the project would be useful for reverse engineering, it seems like a project that would mostly be useful for evading bot checks like web scraping or AI automation.
...and power users. This is a browser that acts in the interests of the user, something that the mainstream authoritarian technocracy is actively trying to destroy and has been ever since they removed "View Source" from its customary place.
"toString theory" is an incredible title for that section
For anyone that doesn't want to maintain a fork of chromium, just download the PDB and hook it at runtime for spoofing and/or dumping call logs. For hook itself just add your dll as a dependency in the PE structure.
Love this blog, still waiting on part 2 of Reverse Engineering Tiktoks VM
I would love to be able to see IFrame and BroadcastChannel communication
I am amazed what you've accomplished here: adding your own custom CDP domain. Years ago I gave up on trying to hack Chromium (I wanted to learn how to add back Manifest Version 2 support before it got removed.).

Build times were way longer on my potato hardware. Since then I haven't touched much C++.

It would be dangerous if this tool fell into the wrong hands.

Where's the wait list?

In the past I've considered forking Chromium so every asset that it downloads (images, scripts, etc) is saved somewhere to produce a sort of "passive scraper".

This article made me consider creating a new CDP domain as a possible option, but tbf I haven't thought about this problem in ages so maybe there's something less stupid that I could do.

skibbiddi bum bum
bum bum bum bum bum