clouedoc's blog

Why does Akamai use two canvases for fingerprinting?

Akamai uses two canvases. What is their purpose?

Camille Louédoc-Eyriès's photo
Camille Louédoc-Eyriès
·

2 min read

Why does Akamai use two canvases for fingerprinting?

Photo by Kate Stone Matheson on Unsplash

Did anyone else notice that Akamai generated two canvases? One of them is large, and the other is pretty small.

The big canvas they use looks like this: image.png

It is, of course, used for canvas fingerprinting.

The small (16x16) canvas they use looks like this: image.png

(sorry, you will have to zoom a bit)

My intuition is that the checksum of the small canvas will be the same on every GPU and OS. They use the first canvas for fingerprinting and the second one to check that the user did not apply noise to their canvases. (anti-canvas-fingerprinting extension will indiscriminately apply noise to all canvases)

This intuition coincides with a 2014 research paper I recently skimmed through, where you can read:

Enforcing a 16x16 pixel size limit allowed us to filter out scripts that read too few pixels to efficiently extract the canvas fingerprint. Although there are 28192 possible color combinations for a 16x16 pixel image, operating systems or font libraries only apply anti-aliasing (Which is an important source of diversity for canvas fingerprinting) to text larger than a minimum font size.

Source

E.g. Akamai could catch people adding noise to ALL their canvases this way.

👆 This shows the importance of reading research papers and writing your evasions instead of using black box extensions

Further reading: Antoine Vastel - The Intriguing Sneaker Bot industry

Edit: my fix looks like this

      /**
       * Add noise to a given canvas
       * This function will cause the canvas fingerprint to change.
       */
      function manipulate(canvas: HTMLCanvasElement): void {
        const { width, height } = canvas;

+       if (width * height <= 16 * 16) {
+         // skip image manipulation on small canvases
+         return;
+       }
    [... snip ...]

I feel better now 😁

EDIT: I might be wrong

Nexus from the Extra Community pointed out that the small canvas is not the same across devices. Shoutout for the heads-up!

image.png

image.png

image.png

My intuition tells me still that Akamai uses the small canvas to detect noise tampering, so I'll stay with this approach.

I need to research this subject by doing some A/B testing.

botbotsHTML CanvascanvasJavaScript