treaty.io – Real Fingerprinting Source Code Examples – beta treaty.js
|Fingerprint Type||Detected||Functions used in this script to fingerprint|
|Web Audio API||Yes||offerToReceiveAudio, writeRtpMap, numChannels, clockRate, codecs, rtcp, headerExtensions, writeSessionBoilerplate, writeMediaSection, rtpReceiver, ssrc, sendEncodingParameters|
|Network||Yes||port, type, raddr, relatedPort, tcpType, webRTC IP|
|Browser Useragent||Yes||WebAPIs.NavigatorID.userAgent, WebAPIs.headers.User-Agent, product, productSub, appCodeName, appVersion, privateBrowsing, userLanguage, Date and time, and many still unknown properties. (0x32c, 0x32b, etc.)|
|Screen Recording||Yes||devicemotion, visibilitychange, webkitvisibilitychange, and addEventLisener and handleEvent for: click, mouseup, keydown, keyup, PointerEvent, load, resize, accelerometer|
|XML Http Request||Yes||Send, Open|
|WebRTC||Yes||googIPv6, RTCPeerConnection, rtcpFeedback, parseRtcpFb, parseRtcpParametersm, shimRTCIceServerUrls, RTCRtpSender, RTCIceServer.url, RTCIceCandidate, RTCSessionDescription, rtcpMuxPolicy, RTCRtpReceiver, RTCIceGatherer, matchMedia, address|
|CPU and Memory||Yes||hardwareConcurrency|
|Permanent Storage||Yes||indexedDB, localStorage, getItem, data, lastIndexOf, testKey, sessionStorage, etag, TEMPORARY|
|Plugins||Yes||mimeTypes, mediaDevices, isBlockingAds|
|WebGL||Yes||WEBGL_debug_renderer_info, unmaskedRenderer, FRAGMENT_SHADER|
|Screen||Yes||resize, screen, height, innerHeight, colorDepth, touch, visibilitychange, body, length|
|Fonts||No||Not sure, still researching. Not detected so far.|
|Unique Exploits||Yes||Cell phone carrier leaking via Facebook app leak, identifying and linking users by stealing existing google analytics userid and history.|
By no means the strongest fingerprinting scripts or services, in fact it is one of the weaker of the “professional/commercial” scripts, and they currently depend the most on AudioAPI. That doesn’t mean it isn’t to be taken seriously as a threat to your privacy, here is a list of the properties they provide websites and apps:
deviceId<[string]> Device ID associated with the device. Unique across browsers and websites on a same machine.
created<[string]> The date at which the current response object was created.
firstSeen<[string]> The date at which the device ID was generated.
browserFingerprint<[string]> The browser fingerprint.
browserFingerprintLength<[number]> The number of identification vectors that make up the browser’s fingerprint.
device<[Object]> The device associated with the request. See the list of all detected devices.
type<[string]> The type of device. Can be either
portable media player,
brand<[string]> The brand of the detected device.
model<[string]> The model of the detected device.
client<[Object]> The browser running on the device. See the list of all detected browsers.
type<[string]> The type of client. Can be either
name<[string]> The name of the
version<[number|string]> The version of the
engine<[string]> The browser engine of the
os<[Object]> The operating system running on the device. See the list of all detected operating systems.
name<[string]> The name of the operating system.
version<[number|string]> The version of the operating system.
platform<[number]> The platform on which the operating system runs.
bot<[Object]> Specifies if the device is a bot. Empty if the device is not a bot. See the list of all detected bots.
name<[string]> The name of the bot.
category<[string]> The bot category. Can be either
Analytics SEO Crawler,
Security search bot,
Social Media Agentor
url<[string]> Online resource about the bot.
producer<[Object]> The company/org behind the bot
name<[string]> The name of the company.
url<[string]> URL to the company’s website.
publicIp<[string]> The IP address associated with the client. Can be a proxy IP address.
isTor<[boolean]> Whether the request came from the tor network.
isIncognito<[boolean]> Whether the browser is in incognito mode (Private mode).
isBlockingAds<[boolean]> Whether the browser is blocking ads.
loggedIn<[boolean]> Whether the user of the device is currently logged in on Facebook.
carrier<[string]> The cell phone carrier leaked by Facebook. Available when the request is made from the Facebook app.
googleAnalytics<[Object]> Google Analytics tracking information.
clientId<[string]> The Google Analytics client ID extracted from the website.
domain<[string]> The domain name from which the client ID was extracted.
geoIp<[Object]> Object containing the geolocation information associated with the public IP address.
country<[string]> The name of the country.
countryCode<[string]> A ISO 3166-2 standard two-letter country code.
region<[string]> The name of the state/province.
regionCode<[string]> A ISO 3166-2 standard two-letter region code.
city<[string]> The name of the city. Can be empty.
postalCode<[string]> The postal/zip code.
latitude<[number]> The latitude associated with the location.
longitude<[number]> The longitude associated with the location.
- Retrieve up-to-date geolocation information about your users.
- Device fingerprint Device recognition Precisely recognize user devices across browsers and websites.
- Detect the browsers, OS and devices used by your visitors.