Revealing too much WebGL vendor information

ghost842 · November 13, 2024, 11:08pm

Today, while I was doing comparison between browsers, I have noticed that Brave fully reveals information about users’ WebGL vendor information. My vendor was fully found by the website. I think, it is a good idea to make it private because none of other browsers revealed this data. The comparison was made between Google Chrome, Safari, Tor and Brave by using https://coveryourtracks.eff.org/.

289wk · November 14, 2024, 3:27am

Good to know. @Mattches probably can pass that info along. Thank you.

Vibes3001 · November 14, 2024, 3:36am

This is outrageous. How is a privacy focused browser letting this slip? I need to cancel my subscription…

Saoiray · November 14, 2024, 4:02am

@shivan last year you spoke on this where you said WebGL would randomize on strict fingerprinting. But now that strict fingerprinting has been removed, it doesn’t seem randomized anymore. Is this one of the things that has been decided not to really matter much on privacy and not handled?

I see Hash of WebGL fingerprint is randomized but WebGL Vendor & Renderer isn’t.

@ghost842 despite me tagging them on that to get your question through, I doubt it’s used often “in the wild” and isn’t doing much on us being unique. Don’t forget that when we test on EFF and it provides statistics on One in x browsers have this value that it’s only comparing those who have run the test.

For example, I ran the test three times. Notice how the value changed despite everything being the same? One in 990, one in 985, one in 974. That shows how limited of a scope it is and how the accuracy is down a bit.

Final Thought:

Most things are random and you would seem unique in all the places we visit. Unless you have an explicitly unique WebGL Vender & Renderer, it’s not going to be much of anything that will identify you and I don’t see it being much of a privacy concern.

However, I will be interested to see what Shivan mentions if he will swing by to answer.

shivan · November 15, 2024, 12:36am

My vendor was fully found by the website. I think, it is a good idea to make it private because none of other browsers revealed this data.

“none of other browsers revealed this data” sounds incorrect. I visited coveryourtracks.eff.org on Safari, Chrome, Firefox and Brave. Only Brave got “strong protection against Web tracking” AND “your browser has a randomized fingerprint” with default settings.

About WebGL vendor and renderer debug strings specifically: we’ve experimented with farbling them by default, but this deviation from what every other browser is doing causes too much website breakage for not much privacy advantage. Fingerprinting protection is always a balance between website breakage (or webcompat) and privacy protection. Brave’s fingeprinting protections are already best-in-class.

Saoiray · November 15, 2024, 6:13am

@ghost842 just wanted to give a heads up. I went back to try to test things out. Originally when I opened Chrome and Firefox, I was seeing that it did not actually share what graphics card and all I was using. So it had me thinking something weird was going on.

But then I researched and realized that I had Use graphics acceleration when available enabled in Brave but it was disabled in Chrome. Toggling this off on Brave changed the WebGL Vendor & Renderer. Then toggling it on in Chrome did the reverse, revealing my graphics card.

As mentioned before, I don’t think this is going to be as much for tracking as we may think, but at least is to give info that if we have that disabled then it would just show the default browser which is more widely used than specific graphics cards. Though may see a hit to performance as it won’t use the GPU as much to render everything.

Chrome (graphics acceleration off)

Brave: (graphics acceleration on)

Chrome: (graphics acceleration on)

Brave: (graphics acceleration off)

So at least that’s one potential “mystery” determined. I especially wanted to dive in deeper when I knew you had said results seemed different for you on these different browsers. My assumption is you’ll find it the same, that it’s because the settings around graphics/hardware acceleration in those browsers are set differently.

Most important of all though, is seeing this:

Brave:

Chrome (even with uBlock Origin installed, so guess it’s killed already, I need to get other version, lol):

Vivaldi (default)

Edge (default)

Firefox (default, not hardened)

voidastro · December 19, 2024, 10:04pm

On Linux it even discloses the kernel version.

No idea how brave is able to score highly on any of these privacy metrics with such a glaring issue.

use --disable-webgl

Note that Tor Browser blocks this along with everything else.

Brave also disclose highly specific web page resolution.
This means that the mere presence of a system bar of non-standard height/width identifies you.
Vertical tabs make you for all practical purposes unique if you adjust their width in any way.

Topic		Replies	Views
Block device information being leaked Desktop Requests	1	25	December 20, 2024
Brave's anti-fingerprinting technology is flawed Feedback privacy , browser	24	2897	May 28, 2021
Stronger anti-fingerprinting Desktop Requests privacy , feature-request	8	1066	April 28, 2021
Fingerprinting prevention limitations Brave Feature Requests privacy , feedback , browser , feature-request	0	604	April 12, 2023
Brave browser fingerprinting protection is useless Browser Feedback privacy	12	5803	January 5, 2022
Privacy guidance please - browser fingerprinting defences Desktop Support macos	26	3287	September 16, 2022
Privacy? What Privacy? Feedback	6	756	May 21, 2019
This is for the Brave Employees and Developers Brave Feature Requests privacy	0	297	November 22, 2022