Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Web Workers are leaking the true navigator.platform

See original GitHub issue

I think you use by default Win32 as navigator.platform. Your plugin also allows to override it according to the User Agent I think.

But regardless how you populate navigator.platform, it seems to stay

"platform": "Linux x86_64",

when using Web Workers. Luminati.io data collectors also affected.

I saw this issue when testing with creepJS.

For a quick check, visit with stealh puppeteer: https://abrahamjuliot.github.io/creepjs/tests/workers.html Edit: True platform is also leaked in iframes: https://abrahamjuliot.github.io/creepjs/tests/iframes.html

Unfortunately, I don’t know how to fix it.

Quick PoC:

// webworker.js
var workerData = {
  platform: navigator.platform,
}

postMessage(JSON.stringify(workerData, null, 2));

And your index.html

<div>
  <pre id="webWorkerRes">
  </pre>
</div>

<script>
  var w;

  if (typeof(Worker) !== "undefined") {
    if (typeof(w) == "undefined") {
      w = new Worker("webworker.js");
      document.getElementById("webWorkerRes").innerHTML = 'started...';
    }
    w.onmessage = function(event) {
      document.getElementById("webWorkerRes").innerHTML = event.data;
    };
  } else {
    document.getElementById("webWorkerRes").innerHTML = "Sorry! No Web Worker support.";
  }
</script>

Issue Analytics

State:
Created 3 years ago
Comments:9 (5 by maintainers)

Top GitHub Comments

4reactions

berstendcommented, Mar 13, 2021

We have an internal fix for handling workers (all 3 types: service-/web-/dedicated workers) for puppeteer. Haven’t found a way yet to surface all necessary events in playwright (their change to abstract CDP communication away with their own wire protocol makes this harder).

I didn’t have time to clean this up and add it to the public stealth code, so it’s good to have a canonical issue for that matter as reference. 😃

0reactions

berstendcommented, May 5, 2021

There’s no closed source defense here, as I explained earlier the presence of workers can be verified easily as they run in the browser.

This is an open-source project, so everyone is welcome to add worker support themselves or even create a PR here to share that with others (wouldn’t hold my breath for that though).

If one is unable/unwilling to do so then they need to wait until I find the time in my busy schedule to add this to the open-source repo. There’s no ETA as I’m doing this in my free time for fun.

If worker support is business critical my profile has contact info and information about my hourly rate.

Top Results From Across the Web

Detecting scraping services - incolumitas.com

Web Workers leak the true browser behind Luminati data collectors... Another issue with the Luminati.io data collector is that it fails to spoof ......

Akamai Blog | Abusing the Service Workers API

The Service Worker web API is a powerful new API for web browsers. ... in the victim's browser and potentially leak sensitive information....

Using Web Workers - Web APIs - MDN Web Docs

Web Workers are a simple means for web content to run scripts in background threads. The worker thread can perform tasks without interfering ......

Web Workers | Tizen Docs

Web workers run JavaScript in an independent thread instead of the main UI thread, improving the JavaScript performance without affecting the UI. The...

How to mock window.navigator.language using jest

however, when I redefine in an individual test (and people set to make sure configurable was set to true) it wont redefine it...