[HN Gopher] Show HN: Explore what the browser exposes about you
___________________________________________________________________
Show HN: Explore what the browser exposes about you
I built a tool that reveals the data your browser exposes
automatically every time you visit a website. GitHub:
https://github.com/neberej/exposedbydefault Demo:
https://neberej.github.io/exposedbydefault/ Note: No data is sent
anywhere. Everything runs in your browser.
Author : coffeecoders
Score : 208 points
Date : 2025-11-24 18:05 UTC (5 days ago)
(HTM) web link (neberej.github.io)
(TXT) w3m dump (neberej.github.io)
| coffeecoders wrote:
| Hi HN,
|
| I've been experimenting with ways to reduce my browser
| fingerprint and exploring techniques to anonymize fingerprint
| data.
|
| So I built this.
|
| This is kind of like a lighter, more thorough version of CreepJS
| but entirely client side. I don't maintain massive lists of time
| zones or do server-side comparisons to calculate uniqueness.
| Instead, it automatically surfaces everything a browser exposes,
| explaining each item in detail.
| locknitpicker wrote:
| Hi, thank you for going through the trouble of putting this
| together. This sort of service is invaluable as it allows us
| clueless people to be mindful about something that negatively
| impacts our life.
|
| Here's a suggestion: it's important to show us that our browser
| footprint allows us to be positively identified and tracked,
| but it only alerts us to a problem. It would be very useful if
| the site also provided some tips to improve anonymity,
| particularly if it's low-effort changes such as tweaking a
| couple of config changes.
| greggman65 wrote:
| There's a mis-understanding of at least the Graphics part. For
| example WebGPU features. It looks like lots of info
|
| https://webgpureport.org/
|
| But, they are bucketed
|
| https://www.w3.org/TR/webgpu/#privacy-considerations
|
| It's not zero pieces of info but it's also not close to as bad
| as it looks. Effectively, everyone who has, say an NVidia GPU,
| will likely have the same list of features and limits.
|
| As a more general example: The number is just a flat out wrong
|
| > Unique to 1 in 2,147,483,648+ devices.
|
| No, I have an iPhone Pro and am in the PST time zone, set to
| English. It has the exact same finger print as millions of
| other devices among the 40 million people in the PST time zone.
| _In general_ , The only things different between 2 iPhones of
| the same model are time-zone, laguange setting, and font size.
|
| Please STOP EXAGGERATING!
| jedberg wrote:
| > No, I have an iPhone Pro and am in the PST time zone, set
| to English. It has the exact same finger print as millions of
| other devices among the 40 million people in the PST time
| zone.
|
| Your IP address, ASN, and location make this not true.
| dror wrote:
| Beyond the obvious IP address difference, there are other way
| to fingerprint you, see https://coveryourtracks.eff.org/
| which will actually provide details about how you're a
| special snowflake, tracked by advertisers.
| ErroneousBosh wrote:
| > This is kind of like a lighter, more thorough version of
| CreepJS
|
| you walked right by the chance to call it WeirdoJS
| godelski wrote:
| I'm really frustrated with these types of websites because they
| tell me nothing.
|
| What I'd love for these sites to do is help me understand where
| I am _distributionally_. How unique am I? On what? Help me
| understand what needs to be fixed and what my threat vector is.
|
| The problem with these is that I'm always unique. Doesn't
| matter what browser I'm on or what. If I am unique on a clean
| Apple laptop in _either_ Safari or Chrome then it is
| essentially meaningless. I got controlled hardware and vanilla
| software, how else do you blend into the crowd?
|
| But in the wild sites aren't always implementing _all_ these
| features. So I want to see if I 'm unique to standard site or
| even one that is a bit more heavy. Importantly _HOW_ unique am
| I? What things am I not unique, how unique am I, and what are
| the most unique things about me?
|
| Having that information gives me the ability to do something
| about it. Without that information then this is just like any
| other website where essentially the message is "be scared!
| People can track you on the internet and there's _nothing_ you
| can do about it! "
| Phelinofist wrote:
| > What I'd love for these sites to do is help me understand
| where I am distributionally. How unique am I? On what? Help
| me understand what needs to be fixed and what my threat
| vector is.
|
| This EFF tool does this https://coveryourtracks.eff.org/
| evgpbfhnr wrote:
| I get a new fingerprint id everytime I refresh the page (firefox,
| linux) -- so that might be sampling a tiny bit too much. audio
| and canvas fingerprint are constant though so it's probably
| plenty enough...
| reconnecting wrote:
| The same applies to macOS. Safari produces a unique fingerprint
| ID every time, and Firefox also has a different fingerprint ID
| with every visit.
|
| If the fingerprint ID is unique every time, there is zero
| possibility of using it for identification.
| conartist6 wrote:
| Very interesting. So this is the battlefield perhaps.
| Randomly corrupt the data instead of eliminating it?
| mpeg wrote:
| I think it might be because the performance fingerprints need
| to be bucketed. If they're too specific you'll never get the
| same fingerprint twice.
| alentred wrote:
| EFF has a similar tool: https://coveryourtracks.eff.org/
|
| No idea how representative either tool is.
| oersted wrote:
| Interesting!
|
| For me it says 1 in 17,179,869,184+, but scrolling through all
| the variables, the vast majority should be the same for any
| MacBook Chrome user.
|
| It would be great to see the stats of each individual
| characteristic.
| jspash wrote:
| I would love to be able to toggle an attribute off/on to see
| what affect each has on the uniqueness of my fingerprint. My
| guess is that there are a handful of _very_ unique things, that
| if obscured, would make one less recognisable.
| collinmanderson wrote:
| https://coveryourtracks.eff.org/ is less detailed but shows
| the individual uniqueness of each attribute.
| greggman65 wrote:
| that site has the same issue. It will give ridiculous and
| easily provably false results for iPhones.
|
| There are ~40 million in the PST time-zone. Some percent
| have smartphones (80%+), ~50% of those are iPhones (16
| million). Of those, the majority are set it English (80%+),
| and are divided into screen sizes. But basically, if you
| have an iPhone, you have the same fingerprint has at least
| a million other other people in the PST time size. You are
| at best, 1 of 100, not 1 of x,xxx,xxx,xxx.
|
| You might be x,xxx,xxx,xxx of people who visited that
| unpopular site but no one needs tracking on an unpopular
| site. On a popular site you will not have a unique finger
| print.
| njitram wrote:
| I tried various browsers, even the Tor browser, but it keeps
| showing 'Unique to 1 in 17.179.869.184+ devices'?
| qwertytyyuu wrote:
| I have the exact same, Unique to 1 in 17,179,869,184+ devices.
| actually slightly different. hmmm... ,'s vs .'s
| aaronharding wrote:
| the person above you is from The Netherlands ;)
| Sayrus wrote:
| It's unique but changes on each reload. While the details are
| interesting, the fingerprint itself is not useful.
| gruez wrote:
| It's highly unlikely they obtained 17 billion samples, so
| they're likely guesstimating it by assuming each attribute is
| independent, and summing the entropy of all attributes. That's
| obviously incorrect, both because attributes are inevitably
| going to be correlated (eg. ip geolocation correlated with time
| zone), and that two identical devices (eg. 2 iPhones) will have
| identical fingerprints.
| dunham wrote:
| And I get a different id every time I reload.
| reconnecting wrote:
| May I ask if this code is the result of 'vibe coding'?
| manbitesdog wrote:
| It looks AI-assisted, based on these two commits: *
| https://github.com/neberej/exposedbydefault/commit/503bd6519...
| *
| https://github.com/neberej/exposedbydefault/commit/16693ba17...
|
| But to what extent should we care for such a small website? The
| AI witch hunt won't get us too far, and this new way of
| producing is only getting started. The loss of control to a
| non-deterministic black box is worrysome, but at some point
| non-vibe coded (hard coded? brain coded?) software might become
| less error-prone that vibe-coded
| mcny wrote:
| > but at some point non-vibe coded (hard coded? brain coded?)
| software might become less error-prone that vibe-coded
|
| Did you mean more instead of less?
| Santosh83 wrote:
| What we need is VPB. Virtual Private Browser like VPNs.
| Essentially standardised cloud browsers that can execute your
| requests and send you back the result as bitmap buffers.
| ycuser2 wrote:
| Great idea! How to make sure that the users data stays private
| without the cloud knowing where the user is surfing. And I
| wonder how to monetise it? Subscription?
| slig wrote:
| I believe Cloudflare has this product already
| https://www.cloudflare.com/zero-trust/products/browser-isola...
| ghxst wrote:
| Not all websites work well, and you get a lot of captchas
| last time I tried it. From memory the way they make this work
| is pretty cool though, they capture Skia draw commands and
| send those over the network and use a wasm library to replay
| them.
| sillyfluke wrote:
| Didn't Stallman himself write and use something in the same
| vein to browse the internet?
| selcuka wrote:
| So basically VNC?
| dvh wrote:
| ERROR>
| https://neberej.github.io/exposedbydefault/assets/index-3936...:
| Uncaught ReferenceError: speechSynthesis is not defined
| SeriousM wrote:
| Here's another one: https://amiunique.org/fingerprint
|
| It's important to point out fingerprinting, yet no ordinary user
| cares.
| udev4096 wrote:
| > Doesn't even load with JS
|
| > Impossible to "expose"
|
| The perks of disabling JS on every site!
| fareesh wrote:
| seems like brave works well and isn't getting correctly
| fingerprinted
| conartist6 wrote:
| I could not be more thrilled to see tools like this being built.
| Without tools to see the problems, we will never fix them
| adhambadr wrote:
| Yet on the flip side, if I'm trying to auto identify my own phone
| for a login-less private app i tried to build I couldn't get to
| reliably generate a consistent fingerprint on safari private
| mode, it regenerates 50% of the time, I've tried several
| libraries like fingerprintjs and co..
| zipping1549 wrote:
| How about mTLS?
| ffsm8 wrote:
| Isn't that what webauthn was made for?
|
| Or did I misunderstand you?
| mr-wendel wrote:
| Fwiw, I use Tailscale/wireguard and take care to ensure the
| source IP gets fed to apps properly. This makes it easy to
| guarantee I have a reliable way to identify myself on my
| webapps and auto-auth.
| bstsb wrote:
| this seems incredibly variable as to be almost useless as any
| type of "fingerprint" - running the latest version of Chrome on
| Android, the ID at the top of the page changes each reload.
| peterspath wrote:
| It's just a blank page for me on iOS 26.1 Safari with Lockdown
| Enabled.
| simianparrot wrote:
| Seems like the fingerprint ID is unique on each refresh in
| Safari, so fingerprint protection working as intended I presume?
| zamadatix wrote:
| The main "Fingerprint ID" on this site seems to be a direct
| combination of all values, so if even a single one changes
| it'll act like the only conclusion is this is an entirely
| different fingerprint. Actual fingerprinting is a bit smarter,
| but it's not really possible to demonstrate that in a single
| clientside scripted static web page.
|
| The more important bit to see from this tool is probably "this
| is an example of how much information which can aid in
| identification your browser exposes".
| csomar wrote:
| This is useless. I think you misunderstand the point of
| fingerprinting. A powerful fingerprinting algo should strive to
| detect you as the same person (aprox) while you use two different
| browsers. A more powerful one will detect you while you use
| another device. This only detect your current refresh.
| quinncom wrote:
| Thanks for pointing this out. At first, I was concerned -
| "Unique to 1 in 2,147,483,648+ devices" - but, my fingerprint
| ID changes with each page refresh, so there's no tracking
| possible. I'm using Brave on iOS.
| zeeed wrote:
| Is it possible and cost-covering to create an ad-sponsored
| service that discloses what ad networks collect about users -
| i.e. age, location, preferences, interests, pregnancy, illnesses
| etc?
|
| Because let's be honest - all of us know that a lot of data
| points are being collected about us, countless articles have been
| written about the insanity of cookie and user-data monetization
| networks - still it appears to be a privilege to few to tap into
| that data trove.
|
| I personally haven't seen an effort to try and make this
| transparent. Efforts like this page are commendable and
| informative, much like amiunique or other services - still they
| lack the tangible information that sharing this information with
| "the world" reveals about an affected individual.
|
| Why hasn't this been done yet? Why is this seemingly not trivial?
| jedimastert wrote:
| I'm unaware of how other platforms work, but for Google you can
| just see what buckets have been associated with your account:
|
| https://myadcenter.google.com/controls
|
| I'm not sure how that would work from an ad-buying perspective,
| from what I understand you essentially choose which buckets
| you'd like to show ads to? Like I don't think ad-buyers get the
| whole dossier for the person they're showing ads to, the
| platform just decides "from what you've told us, this person
| seems likely to like your ads"
| svieira wrote:
| You mean something like
| https://consumer.risk.lexisnexis.com/request?
|
| Or more like "on ad network X you match for keywords A, B, F,
| G"?
| boppo1 wrote:
| I want to know how much of my porn habits
| reddit/fb/google/whoever keep on file.
| ProllyInfamous wrote:
| Every load, and more.
| sandbags wrote:
| My understanding that attempts to defeat fingerprinting are often
| useless because they can tend to make you more, rather than less,
| unique.
|
| So instead I wonder if we could build an open database of
| "identities" that our browsers could clone.
|
| That is your browser deliberately reports the whatever is
| currently the most popular of a set of general identities.
| efilife wrote:
| This sounds good bit miss one thing and you are extremely
| unique again
| QuantumNomad_ wrote:
| If two people have the same model iPhone and same version of iOS
| how different or similar would the fingerprints be?
|
| My iPhone is allegedly unique to 1 in 2,147,483,648+ devices.
|
| But I wonder how true that is, given how many people use the same
| model and iOS version as me.
| ivanjermakov wrote:
| There is a couple of hardware/software independent data points:
| time zone, currency, locale.
|
| And if every option cuts the user base in half, becoming unque
| is a matter of 33 such options.
| pwython wrote:
| The fingerprint is comprised of more than device and OS:
|
| Browser type and version
|
| Screen resolution
|
| Installed fonts
|
| Browser plugins and extensions
|
| Canvas fingerprinting data
|
| WebGL (graphics hardware info)
|
| Time zone
|
| Language settings
|
| IP address
|
| HTTP headers
|
| Touch support
|
| Device type
|
| AudioContext
| QuantumNomad_ wrote:
| Yeah but several of those will also be the same if you have
| the same iPhone model and iOS. Safari browser updates are
| installed as part of iOS update. So anyone with the same iOS
| version has the same version of Safari.
| stevetron wrote:
| It reports that my OS is Windows 10 on two different browsers,
| even though my OS is Windows 7.
| demetris wrote:
| Do you know what user agent the browsers send?
|
| I tried with Windows 7 (Firefox 115) and it reports Windows 7.
|
| It seems though that it cannot distinguish between Windows 10
| and Windows 11, so, without looking further, I suppose the
| detection is based on the User-Agent string? (The OS version
| browsers report on Windows is frozen, so Windows 10 and Windows
| 11 have the same version there.)
| joahnn_s wrote:
| Here's another one: https://scrapfly.io/web-scraping-
| tools/browser-fingerprint They actually delve much deeper, with a
| wealth of additional data and interesting details.
|
| For example, in the DRM section, they extract the Security Level,
| like L3 - Software Decode (SW_SECURE_DECODE).
|
| Their WebRTC test is also unique: they utilize a TURN server as a
| feedback mechanism. That means even if you tamper with WebRTC JS
| in the browser (like some extensions do), it can still expose
| your real IP by leveraging UDP and bypassing the proxy
| altogether. https://scrapfly.io/web-scraping-tools/webrtc-leak
| Levitating wrote:
| There's no hint of what the fingerprint ID is supposed to be?
|
| Also I think somebody on HN recently pointed out that the
| language accept header can be used to fingerprint chromium users.
| jedberg wrote:
| If you reload the page a few times, and you're using a modern
| browser, you'll almost certainly find it's a different
| fingerprint every time. Most modern browsers add in a
| randomization so that fingerprinting cannot be used for tracking.
|
| So yes, your fingerprint is unique, but it's a different unique
| every time, making it pretty useless for anything.
| embedding-shape wrote:
| Seems right, I'm on "Mozilla/5.0 (X11; Linux x86_64; rv:145.0)
| Gecko/20100101 Firefox/145.0" and reloading the page I get a
| new fingerprint each time. "Unique Fingerprint ID" seems to be
| the only attribute that changes each reload, but it isn't clear
| how that's derived.
|
| Edit: Ah, turns out "Unique Fingerprint ID" is just the same
| fingerprint ID printed at the top, it isn't one of the
| attribute used for calculating the ID, it _is_ the ID. Guess I
| got confused by the placement of it.
| TazeTSchnitzel wrote:
| The currency and telephone number prefix info is highly
| misleading. Those are being assumed based on my IP, not being
| reported by the browser. Knowing some of this data is fabricated
| like this makes the site seem less credible.
| nervysnail wrote:
| I wait for the day when all this data collection explodes in a
| life threatening way for millions of people.
| bofadeez wrote:
| Maybe it's my WARP connection but it's showing almost no useful
| info. "Unknown" for almost everything.
| BinaryIgor wrote:
| Super interesting project! Out of curiosity, how do you calculate
| Unique Fingerprint ID and Canvas Deep Fingerprint Hash?
| taxking wrote:
| This is really cool, the audio thing estimating how many voices
| are nearby is sort of terrifying
| dsp_person wrote:
| Wdym, the thing that lists how many speech synthesis voices are
| available?
| Tacite wrote:
| "System Platform" : "MacIntel" Even though the Graphics Renderer
| is "Apple M1, or similar".
| bobbiechen wrote:
| I believe this comes from the (browser self-reported)
| navigator.platform, which is reported as MacIntel on all Chrome
| for Mac versions including Apple Silicon.
___________________________________________________________________
(page generated 2025-11-29 23:00 UTC)