Plug Leaks Block Fingerprinting
Ad-Free No Ads. No tracking.
Download on Chrome Store

treaty.io – Real Fingerprinting Source Code Examples – beta treaty.js

treaty.io – Real Fingerprinting Source Code Examples – beta treaty.js

Real Fingerprinting Source Code Examples
Found in the public installation documentation for developers to add https://treaty.io/beta/treaty.js to their website or app for device tracking. Saved on 7/2/2018.
Unique threats from this script and service: They can leak cell phone carriers with a facebook trick and use existing google analytic tracking by stealing their unique clientid set for your device and also the websites that set it.
Fingerprint Type Detected Functions used in this script to fingerprint
Web Audio API Yes offerToReceiveAudio, writeRtpMap, numChannels, clockRate, codecs, rtcp, headerExtensions, writeSessionBoilerplate, writeMediaSection, rtpReceiver, ssrc, sendEncodingParameters
Network Yes port, type, raddr, relatedPort, tcpType, webRTC IP
Browser Useragent Yes WebAPIs.NavigatorID.userAgent, WebAPIs.headers.User-Agent, product, productSub, appCodeName, appVersion, privateBrowsing, userLanguage, Date and time, and many still unknown properties. (0x32c, 0x32b, etc.)
Screen Recording Yes devicemotion, visibilitychange, webkitvisibilitychange, and addEventLisener and handleEvent for: click, mouseup, keydown, keyup, PointerEvent, load, resize, accelerometer
XML Http Request Yes Send, Open
WebRTC Yes googIPv6, RTCPeerConnection, rtcpFeedback, parseRtcpFb, parseRtcpParametersm, shimRTCIceServerUrls, RTCRtpSender, RTCIceServer.url, RTCIceCandidate, RTCSessionDescription, rtcpMuxPolicy, RTCRtpReceiver, RTCIceGatherer, matchMedia, address
CPU and Memory Yes hardwareConcurrency
Permanent Storage Yes indexedDB, localStorage, getItem, data, lastIndexOf, testKey, sessionStorage, etag, TEMPORARY
Plugins Yes mimeTypes, mediaDevices, isBlockingAds
WebGL Yes WEBGL_debug_renderer_info, unmaskedRenderer, FRAGMENT_SHADER
Screen Yes resize, screen, height, innerHeight, colorDepth, touch, visibilitychange, body, length
Fonts No Not sure, still researching. Not detected so far.
Unique Exploits Yes Cell phone carrier leaking via Facebook app leak, identifying and linking users by stealing existing google analytics userid and history.
One of our main focus is accuracy. Our algorithm combine multiple approaches to ensure the most persistent results possible. We analyzes your data in real time to find the best match across all our network.treaty.io - the device fingerprint API
View treaty.js fingerprint source code Formatted Version

By no means the strongest fingerprinting scripts or services, in fact it is one of the weaker of the “professional/commercial” scripts, and they currently depend the most on AudioAPI. That doesn’t mean it isn’t to be taken seriously as a threat to your privacy, here is a list of the properties they provide websites and apps:

Response object

  • deviceId <[string]> Device ID associated with the device. Unique across browsers and websites on a same machine.
  • created <[string]> The date at which the current response object was created.
  • firstSeen <[string]> The date at which the device ID was generated.
  • browserFingerprint <[string]> The browser fingerprint.
  • browserFingerprintLength <[number]> The number of identification vectors that make up the browser’s fingerprint.
  • device <[Object]> The device associated with the request. See the list of all detected devices.
    • type <[string]> The type of device. Can be either desktoptabletphabletsmartphonetvportable media playerconsole or bot.
    • brand <[string]> The brand of the detected device.
    • model <[string]> The model of the detected device.
    • client <[Object]> The browser running on the device. See the list of all detected browsers.
      • type <[string]> The type of client. Can be either browser or mobile app.
      • name <[string]> The name of the browser or mobile app.
      • version <[number|string]> The version of the browser or mobile app.
      • engine <[string]> The browser engine of the browser or mobile app.
    • os <[Object]> The operating system running on the device. See the list of all detected operating systems.
      • name <[string]> The name of the operating system.
      • version <[number|string]> The version of the operating system.
      • platform <[number]> The platform on which the operating system runs.
    • bot <[Object]> Specifies if the device is a bot. Empty if the device is not a bot. See the list of all detected bots.
      • name <[string]> The name of the bot.
      • category <[string]> The bot category. Can be either Analytics SEO CrawlerBenchmarkCrawlerFeed FetcherFeed ParserRead-it-later ServiceSearch botSearch toolsSecurity CheckerSecurity search botService AgentSite MonitorSocial Media Agent or Validator.
      • url <[string]> Online resource about the bot.
      • producer <[Object]> The company/org behind the bot
        • name <[string]> The name of the company.
        • url <[string]> URL to the company’s website.
  • publicIp <[string]> The IP address associated with the client. Can be a proxy IP address.
  • isTor <[boolean]> Whether the request came from the tor network.
  • isIncognito <[boolean]> Whether the browser is in incognito mode (Private mode).
  • isBlockingAds <[boolean]> Whether the browser is blocking ads.
  • facebook <[Object]> All things Facebook.
    • loggedIn <[boolean]> Whether the user of the device is currently logged in on Facebook.
    • carrier <[string]> The cell phone carrier leaked by Facebook. Available when the request is made from the Facebook app.
  • googleAnalytics <[Object]> Google Analytics tracking information.
    • clientId <[string]> The Google Analytics client ID extracted from the website.
    • domain <[string]> The domain name from which the client ID was extracted.
  • geoIp <[Object]> Object containing the geolocation information associated with the public IP address.
    • country <[string]> The name of the country.
    • countryCode <[string]> A ISO 3166-2 standard two-letter country code.
    • region <[string]> The name of the state/province.
    • regionCode <[string]> A ISO 3166-2 standard two-letter region code.
    • city <[string]> The name of the city. Can be empty.
    • postalCode <[string]> The postal/zip code.
    • latitude <[number]> The latitude associated with the location.
    • longitude <[number]> The longitude associated with the location.
  • Retrieve up-to-date geolocation information about your users.
  • Device fingerprint Device recognition Precisely recognize user devices across browsers and websites.
  • Detect the browsers, OS and devices used by your visitors.
Disclaimer: Content is shown as an example of what methods, abilities, and techniques are in use for identifying and tracking people, for the purpose of analyzing if it may be too intrusive on privacy or wither or not there is anyway to maintain privacy with current software available. It may contain intellectual copyright, trademark, or licensing requirements. Files and documentation shared was found in public documentation or was loaded automatically in my browser while visiting a website.

 

Comments are closed.