This is an exploit for Safari 17.4 and lower that enables fingerprinting Safari users using OffscreenCanvas and SharedWorker even if fingerprinting protections are enabled. Apple seems to be unconcerned about this, so here it is! Apple seems to have changed their tune.
Demo: https://detectincognito.com/whatAreYouSmokingApple.html
Update (March 2024): While the included PoC doesn't display this, Firefox also seems to be vulnerable.
- Apple assigned this vulnerability as CVE-2024-27830 and resolved the issue in Safari 17.5.
- Firefox attempted to address their issues in Firefox 127, however the
ServiceWorkerscope is still vulnerable to fingerprinting viaOffscreenCanvas.
- Mozilla says the issue involving
OffscreenCanvaswill be addressed in Firefox 131.
As of Safari 17.4 on both macOS and iOS, canvas fingerprinting protections are not applied to SharedWorker and ServiceWorker web workers. Protections still apply to the Worker context, as well as in the main window context.
The included script runs a simple canvas fingerprinting technique using OffscreenCanvas in the SharedWorker scope. The output is then hashed. In addition, a function has been included that is able to detect if noise is being added to the OffscreenCanvas output for each included context. While the ServiceWorker context is also vulnerable to this attack, it is not implemented in order to keep the PoC as a single file.
To test the script, run it in Safari in a private window. The expected behavior is that each context should have the same hash value and all return Noise: true. However, as of Safari 17.4, SharedWorker will return a hash value that can aide in browser fingerprinting that is likely unique to the version of Safari used and maybe also to the hardware it's running on. While Safari is generally very resistant to being fingerprinted and this is certainly not enough alone to track a specific browser, this is not an ideal situation and must be addressed by Apple.
Please keep in mind that as of Safari 17.4, Safari only adds noise to canvases in private windows/tabs and not regular windows/tabs by default. To change this, you must change Safari's Settings under Advanced > Use advanced tracking and fingerprinting protection > in all browsing.
Update: Apple seems to have changed their tune.
- abrahamjuliot for writing the script that brought this issue to my attention and being generally awesome.
Apple's Security Engineers for being comically incompetent.
(c) 2024 Joe Rutkowski (Joe12387), released under the MIT License