Recently made this extension and interested in getting some feedback on it.
Vytal can Spoof your timezone, locale, geolocation and user agent. This data can be used to track you or reveal your location.
Most extensions that provide anti-fingerprinting features rely on content scripts to inject script tags into webpages. There are many limitations to script tag injections which you can read about here: https://palant.info/2020/12/10/how-anti-fingerprinting-exten...
Vytal utilizes the chrome.debugger API to spoof this data. This allows the data to be spoofed in frames, web workers and during the initial loading of a website. It also makes the spoofing completely undetectable.
You can test and compare Vytal and other extensions on https://vytal.io
Unfortunately it doesn't work on Firefox since Firefox doesn't support the debugger API. Works on Brave tho.
> It also makes the spoofing completely undetectable.
It's my understanding that the usage of the debugger is detectable by scripts running on the page. I've actually come across content websites that will refuse to activate their features (play video) if the debugger is active.
Similarly on Android some video streaming apps will refuse to load and play their content catalog if USB debugging is enabled.
A javascript file, whose name changes with every refresh, is loaded. The script calls the `debugger` keyword, which only functions when you have DevTools open.
Meanwhile, a tickers is running. If a tick takes too long, it interprets that as the debugger having been called.
There are a bunch of sophisticated ways to obfuscate it, but it basically boils down to:
<script>
setInterval(function() {
try {
let before = new Date().getTime();
// This will pause the program execution if debugging is enabled.
// If debugging isn't enabled this statement is a no-op.
debugger;
let after = new Date().getTime();
// Detect if the program was paused or not.
if (after - before > 0.01) {
// > 10ms difference? The program was (most likely) paused by the debugger.
document.body.innerHTML = "<h1>Debugging started</h1>";
}
} catch(e) {}
}, 1000);
</script>
There are some other ways to detect it by implementing various prototype methods and continually logging the object to the console. The methods are only invoked if the dev console is opened.
I'm able to get it to trigger on about ~10-20% of page reloads with your extension activated. Never when it isn't. Maybe it's just a matter of tuning the interval and detection threshold?
I don’t have a link offhand but I’ve seen this code while debugging some pirate sports streams. The next upcoming one to check would be an NBA game from “nba bite” (Google it, it’s the offshoot of the banned sports streaming subreddits.)
I think you’re probably right that it wouldn’t detect presence of your extension, since that code runs in its own context and I assume doesn’t actually call the debugger. If your extension injects a script into the page, then that could be detected with this technique or similar.
I'm commenting here both to remind myself to check back and try this out when I'm not on mobile, and to thank you for building this- at first glance it looks good.
Is it safe to do? I mean I want to stop this message for Vytal only, because I know that it uses debugger API. But I would want to know if tomorrow my adblocker starts to use debugger API.
Any existing extension would have to explicitly declare the appropriate permission for using the debugger API. Chrome automatically disables extensions that add new permissions until you review them.
Many (most?) VPN mechanisms don't entirely remove access to the other routes from apps that manually request them, so even if an app isn't able to use something akin to "location services" on your device it might still easily be able to get access to your other IP addresses by sending requests with sockets manually bound to specific interfaces, and even might choose to lower the priority of information learned using interfaces that are clearly tunnel devices instead of network cards.
Also known as split tunnel, this can be used by corporate VPN solutions to lower the amount of network traffic entering a data center (so you don’t overload your undersized pipes)
No, I don't mean that. That's when you purposefully set your routing table to split some traffic to different paths. The premise here is that even if all of your traffic is supposedly going over a VPN, an app can often opt out of that and do whatever it wants.
I thought the complaint was that the browser was figuring it out directly and then exposing it, such as via the browser's location API, not that the website was figuring it out using non-location network mechanisms provided by the browser.
(FWIW, a website that is given media recording privileges can definitely do that, though, using WebRTC. If you don't have that privilege then you can still use the WebRTC API but it doesn't return alternative candidates. But I also don't think that is what they meant.)
There are services that wardrive around mapping locations of WiFi access points. Your laptop periodically will phone home with your nearby Wi-Fi MAC addresses (BSSIDs) to ask where they were detected.
By the way, if you've ever noticed a brief packet drop or latency spike (usually a few 100s of ms) while pinging a server from your Mac, it might be because your device is doing this.
When Location Services is on (which it is by default), macOS will periodically switch your wireless card to monitor mode to find those nearby SSIDs. That briefly interrupts normal network traffic.
IIRC, it does this more often when Find My.app is turned on.
You can disable Location Services in: System Preferences > Security & Privacy > Location Services
firefox has something called the mozilla location provider, which maps wifi access points to locations, which is similar to what google maps uses when you have gps disabled on mobile
Go to about:config () and set geo.enabled to false.
: if you're on Android, you'll need either an unstable version (Beta, Nightly) or a fork (Fennec from F-Droid) of Firefox to get access to that page because Mozilla decided users of the standard distribution can't be trusted with these settings.
I dont want to dislike firefox, but I am starting to find new reasons to resent it. It seems like every other week there is something new I'm finding out about that gives me pause before running updates. Every new 'feature' brings me further and further away from feeling like it's a browser I can trust to be just a browser. Something has to change. Pocket, Allo, still taking the google allowance, absolutely squandering their endowments on salary, too much focus on social signaling and politics. Just be a browser, please.
I won't be going to anything chrome-like, but I do see myself spending a lot more time using and sponsoring qutebrowser, or simply passively consuming offline.
If wanting a browser to be just a browser is petty, then I am the pettiest. If you havent tried qutebrowser yet, give it a shot. When I say just a browser, this hits it pretty close, if you ask me.
Vim mode is pretty neat. It seems like the whole app is kind of just like a python gui app wrapper around webkit? Looks like it would be pretty good if I was using linux and a tiling wm as my main thing but these days I'm pretty bound to Windows for the type of development I'm working on.
Most of my linux desktop usage these days is stuff like writing scrapers in cloud containers that need a real browser that I can control using selenium or puppeteer or whatever though, is it supporting anything like that? If this works on Windows too that would be a bonus.
I don't know if it supports that type of workflow yet, but I hope something fills that void soon. It's a very real need with a clearly defined utility.
I'm using these FF addons CanvasBlocker and Spoof Timezone to spoof UA and timezone. I checked vytal.io and it shows those addons can't fully spoof web worker method. I usually use https://browserleaks.com/javascript to test spoofing addons.
I'm going to have to try using this to activate bank cards and add them to Google Pay while abroad. That's my one use case that VPNs have proven not to be enough for.
So I've installed it. I'm tunneling to another country. Vytal says everything is correct for country B. However the site I'm testing posting to still detects that I'm outside their country. And I can't work out how :/
Very few websites/services actually use location to test geo-restriction (especially on browser. it's more common for mobile apps).
The most common reason why you VPN didn't work is that they simply block IP ranges of common used (proxy) servers. They also can check if the IP is "Native IP" (means it's actually registered in the country that the server is in.)
I think I've worked it out. They detect VPN/proxies, where there are plenty of libraries to do so.
So I tried creating a VPS in the same city as them last night, used freakin' lynx on a terminal so sans-Javascript, and lo and behold, still detected that I wasn't in their country :/
I think I've worked out how tho. They detect VPN/proxies, where there are plenty of libraries to do so.
So I tried creating a VPS in the same city as them last night, used freakin' lynx on a terminal so sans-Javascript, and lo and behold, still detected that I wasn't in their country :/
I have my browser set to English in a non-English country. Set your locale to what you are comfortable with reading. It doesn’t (shouldn’t) factor into things except the language the website displays. Unless you are Google, then it might just randomly pick a random language (my results flip flop between Portuguese and Dutch, despite manually changing the language back to English repeatedly).
What if I am travelling to another country physically where I don't read or write the local language? Would this affect my website access even if I'm connected via an IP inside the country?
This extension takes an interesting approach to spoofing data, which is nice!
In my case, I’m interested in doing the same thing inside of Puppeteer for web scraping, unfortunately it seems like the only possible approach is similar to content scripts (for example https://github.com/berstend/puppeteer-extra/tree/master/pack...) which leads to it being easily detected. Are there any similar approaches that can be used for Puppeteer?
The flags you need for headless extensions are --enable-features=UseOzonePlatform and --ozone-platform=headless, but tell puppeteer to run normally, not headless. That way it still uses full chrome but doesn't require a display server.
The fact that the debugger API is active is almost certainly detectable. I haven't tried recently, but it's been possible in older versions - and I've yet to come across a spoofing tool that I couldn't find a way to detect.
Modern VPN usage means do not have understood the purpose of a VPN...
Using a VPN as a proxy to circumvent geographical block is reasonable to a certain extent, but call them a privacy help, when you do not own the server is ridiculous...
So... An unknown commercial VPN hoster who happen to sell so called now "VPNs", with a siege in British Virgin Island (for instance) is not malicious while a local ISP, obliged to follow national laws you probably know is worse?
It's hard to believe for me...
If I host my VPN for instance to include some remote machines to my LAN, or as a company to offer a LAN to nomadic clients, that's a thing. If I decide to route 100% of my traffic to some servers in exotic locations where no privacy laws exists, where I probably never ever look for a local lawyer just because of lack of norms, language and costs issues, it's IMVHO a crazy choice like those who regularly buy "anti-5G radiation-absorber stickers" or "air purifier" and things like that.
My ISP might spy on me, surely they do, but we have a contract under local laws we both knows, we speak the same language, I have a local lawyer I trust etc. Using something else to circumvent eventual geo-blocks ok, but for the rest? How can I trust more an unknown third from exotic places telling in its advertisement "we care about privacy"?
Google Maps still knows where you are on your mobile because it can still detect nearby WiFi networks and use the GNSS receiver. You would need to remove these permissions, and then it wouldn't work at all.
> Check out https://vytal.io/. There are many more data points then just the geolocation api.
I think most people would agree that your so called additional data points are worthless for the purpose that most people would be concerned about location data.
Something like timezone "location" (which basically what your vytal website is showing) is simply not granular enough to be used for nefarious purposes.
I mean, if my browser is telling someone that my "location" is EDT timezone what good is that going to do them ? Its still too much of haystack to be useful to anyone.
Let's be honest here, "location" to most people means GPS-type location (i.e. you'll find me in this house on this street). Anything more coarse than that is frankly of limited use to an adversary.
What if you're trying to hide your country lol? It also spoofs your locale and user agent. Just because its not something you care about doesn't mean its useless. Also never claimed it was going to change the world or anything. Just thought it was an interesting way to use the debugger api and that some people might find it cool.
The idea for this extension is really cool! However I use a proxy switcher extension to connect to my vpn client on a per website basis (tldr split tunneling). Is there any way to make your extension work with this setup?
Vytal can Spoof your timezone, locale, geolocation and user agent. This data can be used to track you or reveal your location.
Most extensions that provide anti-fingerprinting features rely on content scripts to inject script tags into webpages. There are many limitations to script tag injections which you can read about here: https://palant.info/2020/12/10/how-anti-fingerprinting-exten...
Vytal utilizes the chrome.debugger API to spoof this data. This allows the data to be spoofed in frames, web workers and during the initial loading of a website. It also makes the spoofing completely undetectable.
You can test and compare Vytal and other extensions on https://vytal.io
Unfortunately it doesn't work on Firefox since Firefox doesn't support the debugger API. Works on Brave tho.