Wow, CSS system color keywords seem like a massive privacy leak. I just tested s...

dharmab · on June 7, 2020

It's already trivially easy to fingerprint a user in about a dozen other ways via:

User Agent String (being fixed soon by the Chrome team)

HTTP_ACCEPT headers

Browser plugin metadata

Time zone

System fonts

Supercookies

Canvas and WebGL fingerprinting

AudioContext

Device CPU and memory

What's one more bit of information?

account42 · on June 9, 2020

Many of these should also not be exposed to websites without explicit authorization.

traverseda · on June 7, 2020

Huh, neat. If anyone else is curious I threw all the color codes on my site here: https://traverseda.github.io/code/cssColourTest.md.html

devbat8712 · on June 6, 2020

...how exactly does your system background colour include personal information?

jameslk · on June 6, 2020

It can be used for fingerprinting

542458 · on June 7, 2020

I mean, not to be defeatist but... once you’ve got JS turned on you’ve already handed out such a massive amount of entropy I’m not sure this one extra item makes a huge difference.

deathanatos · on June 7, 2020

> one extra bit

If it's the OS default, it's probably worthless. But if it isn't, I would imagine it could be quite unique, no? Presuming it's an RGB color, that's 16M possibilities. And there are multiple system colors, meaning even more chance you're a snowflake if you customized them. If you chose a random color on just 2 of them, that's probably enough to make you unique among the entire world. (But it is, of course, likely that you might choose something common, like #ff00ff.)

If you turn of JavaScript, that's also probably a pretty good signal, no? (I'm just hearing someone shouting "There are dozens of us! Dozens!")

ladberg · on June 7, 2020

If you turn Javascript off, the only information the website can get is user agent and IP, which would narrow it down much less than using Javascript even just among the pool of non-javascript users.

Keep in mind that there are a lot of services that load sites without Javascript enabled (scrapers, mail, preloading).

Izkata · on June 7, 2020

Pretty sure you can get some extra information through CSS media queries that only trigger a server hit when active (allowing you to add, say, screen size and color range to the fingerprint even without javascript).

https://stackoverflow.com/questions/53838754/css-media-queri...

chrisan · on June 7, 2020

i'd imagine most of the background colors are the same as most people set an image as their background.

ive not really thought about (or even know to be honest) what my desktop background color is these days. its not something ive throught about since windows 95. once XP came along with that pretty background I think i've used a photo ever since

but oh well 1 more bit is one more bit for the people that do still set a background

Bnshsysjab · on June 7, 2020

I set my background to a solid color. Mostly so compression on screenshots and screen captures is more effective. Though, I’d consider me an edge case here.

richbradshaw · on June 7, 2020

I tested on MacOS and iOS and the colours don’t change in Chrome or Safari.

None changed - I changed my system highlight on MacOS and desktop background on both, and had no changes here.

I don’t have a Linux or Windows machine around to test with.

fouc · on June 7, 2020

Doesn't seem to affect Safari