PSA: Brave leaks graphics card model to websites

banana · June 9, 2025, 1:35am

Through HTML canvas, Brave leaks the exact make and model of the user’s graphics card. Try it on CreepJS and let me know your results.

This is a very particular and isolating aspect of your machine to be disclosed. This must be an oversight of sorts, right?

micdan · June 9, 2025, 4:44am

Not much to do. If you feel uncomfortable you may need to switch to another browser. Using that tool I was able to see my installed extensions AFAIR^[1].

AFAIK, but instead of “know” it’s “remember”. ↩︎

anonfox · June 9, 2025, 5:02am

github.com/brave/brave-browser

Brave still exposes too much fingerprintable information

opened 08:55PM - 28 Jan 24 UTC

BenjaminAster

privacy priority/P4 privacy/tracking

I did some research on fingerprinting and browser's defenses, and I think there …are several pieces of somewhat fingerprintable information that Brave still exposes and that could rather trivially be spoofed/farbled/disabled: - `(await navigator.userAgentData.getHighEntropyValues(["platformVersion"])).platformVersion` returns the exact operating system version. On Android, this provides the major Android version (e.g. 12/13/14 etc.) and on Windows, it [provides](https://github.com/chromium/chromium/blob/main/components/embedder_support/user_agent_utils.cc) the [number corresponding to the yearly Windows release](https://github.com/WICG/ua-client-hints/issues/220#issuecomment-870858413) (`14.0.0` = Windows 11 21H2, `15.0.0` = Windows 11 22H2 etc.). This value could easily be spoofed by always returning the most up-to-date version of the known OS (`14.0.0` on Android, `15.0.0` on Windows, etc. (I don't know about Linux/MacOS/ChromeOS)) - WebGL renderer & vendor info (see https://github.com/brave/brave-browser/issues/31229#issuecomment-1913661444) - WebGPU is currently [still enabled](https://github.com/brave/brave-browser/issues/31274) in Brave by default. As far as I know, Brave provides no canvas farbling whatsoever for it (only for WebGL and Canvas2D). Also, it is possible to read the GPU vendor and rough architecture via `await (await navigator.gpu.requestAdapter()).requestAdapterInfo()`. - External Protocol Flooding is still [not fixed](https://github.com/brave/brave-browser/issues/15875). - Audio latency & sampling rate: the [`sampleRate`](https://developer.mozilla.org/en-US/docs/Web/API/BaseAudioContext/sampleRate), [`baseLatency`](https://developer.mozilla.org/en-US/docs/Web/API/AudioContext/baseLatency) and [`outputLatency`](https://developer.mozilla.org/en-US/docs/Web/API/AudioContext/outputLatency) properties of [`AudioContext`](https://developer.mozilla.org/en-US/docs/Web/API/AudioContext) give information about the system's audio processing capabilities. - Recursion call stack size: One can measure the browser's JS maximum recursion call stack size by creating a web worker looking something like this: ```js onmessage = () => { let stackSize = 0; try { const recursion = () => { stackSize++; recursion(); }; recursion(); } catch { postMessage(stackSize); } }; ``` and sending it a message. This provides a reliable and repeatedly-the-same value, even in incognito (6350 in my case). However, I don't know how different these numbers are on different devices, so the information entropy _might_ be rather low for this one. - the WebAuthn `await PublicKeyCredential.isConditionalMediationAvailable()` and `await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()` APIs return `false` for the (probably rather few) users where these authentication methods are not available, making them somewhat unique. Should these methods be overridden to always return `true`, possibly causing compat issues? - `performance.memory.jsHeapSizeLimit` returns the JS heap size limit. It is stable across different websites & visits, although I don't know how much entropy this property really has (might be the same for most users; 2,172,649,472 bytes on my machine). - `new Intl.DateTimeFormat().resolvedOptions().timeZone` returns the true time zone, including city information (e.g. Europe/Vienna for me). This has been discussed several times here and the consensus was apparently that spoofing the value to a normed city per time zone wouldn't work since every country has their own rules regarding daylight savings time, and therefore calendar applications wouldn't work reliably anymore. But wouldn't it be possible here to expose the true time zone with city information after an opt-in from the user? For 99% of websites, having the general time zone (i.e. the offset from UTC) is perfectly enough.

github.com/brave/brave-browser

Brave fingerprinting failures: high entropy: Web page resolution & WebGL Vendor & Renderer

opened 10:17PM - 19 Dec 24 UTC

voidastro4

Platform: Linux x86-64 Desktop https://coveryourtracks.eff.org Ignore their sco…ring, pay attention to what information they are able to learn about your system. WebGL Vendor & Renderer reveals a lot of information. On Linux it even reveals the exact kernel version up to the third digit. Exact web page resolution is revealed. System bars with non-standard height/width or adjusted vertical tab width makes you **completely unique**. **privacytests.org incorrectly states that Brave hides screen information. coveryourtracks.eff.org clearly shows your screen information.**

Also

WebGPU is currently still enabled in Brave by default. As far as I know, Brave provides no canvas farbling whatsoever for it (only for WebGL and Canvas2D). Also, it is possible to read the GPU vendor and rough architecture via await (await navigator.gpu.requestAdapter()).requestAdapterInfo().

JohnDose · June 9, 2025, 6:33am

Interesting.
Even with maximum privacy/security related settings on Brave’s secret(inprivate) mode, it still leaks my exact GPU model.

Mullvad browser definitely does not.

Once again, I appreciate how strong Mullvad/Tor’s antifingerprinting capabilities are.

anonfox · June 9, 2025, 9:18am

You can activate the advanced anti-fingerprinting mode from brave flags, which should hide it from WebGL, but that might make you more fingerprintable since very few people use it.

Topic		Replies	Views
All Chromium browsers including Brave give special access to system/tab CPU/GPU only for Google domains General browsers	8	1432	July 17, 2024
Hangout services API - Brave Questions browsers	2	113	February 3, 2025
Chronium-based browsers send an enormous amount of data to Google General	3	373	July 22, 2024
Brave exposes too much fingerprintable information General	0	550	April 22, 2024
Brave extensions and fingerprinting General	27	1916	August 5, 2023

PSA: Brave leaks graphics card model to websites

Related topics