WebGL technology in Anti-Fraud systems and user identification techniques

01.11.24

WebGL (Web Graphics Library) is a powerful technology for rendering 3D graphics in browsers that utilizes the power of the graphics processing unit (GPU). Unlike Canvas, WebGL not only allows you to work with 2D graphics, but also opens new horizons of 3D rendering and GPU computing for web developers. Due to its ability to generate unique results, WebGL has found its application in anti-fraud systems, where its capabilities help track and identify users' devices through unique digital fingerprints.

#### History of WebGL's creation and purpose

WebGL was developed as an extension to Canvas and was first introduced by the Khronos Group organization in 2011. As an open standard for rendering graphics on web pages, WebGL has made it possible to eliminate third-party plugins such as Flash or Java, greatly improving the performance and security of web applications.

WebGL has extended the capabilities of HTML5 and JavaScript by adding support for 3D rendering and improved GPU interaction. This makes it useful not only for gaming, visualization, and scientific research, but also for anti-fraud systems, where WebGL can help uniquely identify users' devices through a “graphical fingerprint.”

#### WebGL's technological capabilities

WebGL offers developers a number of unique tools for creating complex graphics:

- Working with 3D graphics. WebGL supports drawing complex 3D models and textures using hardware acceleration. This allows you to build realistic visual objects that offer high performance.

- Access to shaders. WebGL uses shaders (programs executed by the GPU) that allow detailed rendering of objects, creating complex texture effects and higher quality graphics.

- Animation and interactivity. WebGL's capabilities allow you to build dynamic Web applications, visualize scientific data, and create complex models such as virtual worlds and interactive simulations.

These features make WebGL a tool in a variety of domains, as well as a useful assistant in antifraud systems to provide uniqueization and fraud protection.

#### WebGL in anti-fraud systems: protection from fraudsters

Modern antifraud systems use the WebGL graphical fingerprint to identify devices. Unlike Canvas, the WebGL fingerprint is not only based on pixel rendering, but also depends on the GPU and browser-supported features. This helps anti-fraud systems create unique fingerprints for each device and identify suspicious activity.

##### How does WebGL help identify the user?

When rendering objects on WebGL, different devices may produce slight differences in the image due to hardware features of GPUs, shaders, and drivers. Factors that affect rendering results include:

- GPU - different GPU models process 3D objects and textures differently.

- Supported shaders and extensions - The set of supported shaders, as well as their specifications and precision, vary by device.

##### Browser settings and rendering features.

Anti-fraud systems use these features to create a unique fingerprint by detecting differences at the graphics and feature level, such as texture sizes and maximum values of uniform variables. These parameters combine to create a graphical fingerprint that, when combined with other data, helps identify the user.

##### **Methods for spoofing fingerprints** **WebGL**

Fraudsters use a variety of methods to spoof WebGL graphical fingerprints and bypass anti-fraud systems. Among them are:

- Shader and texture imitation. Attackers can modify shaders and textures with added noise, which helps to modify the WebGL fingerprint.

- Implementing pre-stored fingerprints. Some programs are capable of spoofing fingerprints, producing results pre-recorded from other devices, making them difficult to detect.

##### What kind of information can a Web resource retrieve from a browser using WebGL?

The full list of WebGL properties and values for the browser can be seen on the test page <a href="https://test-webapi.tech/webglfull" target="_blank"> https://test-webapi.tech/webglfull</a>. We will consider the most important parameters for anti-fraud systems in detail, but first let's check how the noise overlay works in WebGL. We told in detail about how the values are formed when taking a fingerprint in the <a href="https://detect.expert/ru/blog/canvas-technology-in-anti-fraud-systems-and-user-i/" target="_blank">article</a>, now let's conduct a small test, let's look at the WebGL fingerprint of Chrome browser and antidetect-browser without noise and with noise, let's open the page <a href="https://browserleaks.com/webgl" target="_blank">https://browserleaks.com/webgl</a> in each of them.

Chrome browser:

Let's note these values:

WebGL Report Hash: af7f2acd5c7ab718eb78ab2d368860bd

WebGL Image Hash: 3151260603d8157a55323d306cc161fb49

Unmasked Vendor: Google Inc. (NVIDIA)

Unmasked Renderer: ANGLE (NVIDIA, NVIDIA GeForce RTX 3060 (0x00002503) Direct3D11 vs_5_0 ps_5_0, D3D11)

Noiseless anti-detect browser:

Anti-detect browser using noise:

WebGL Report Hash: af7f2acd5c7ab718eb78ab2d368860bd

WebGL Image Hash: 3151260603d8157a55323d306cc161fb49

Unmasked Vendor: Google Inc. (NVIDIA)

Unmasked Renderer: ANGLE (NVIDIA, NVIDIA GeForce RTX 3060 (0x00002503) Direct3D11 vs_5_0 ps_5_0, D3D11)

WebGL Report Hash: 251d629a393c4f10bfffe3b506696fdd

WebGL Image Hash: 61b18870e8f14f14f0058bc5533468c685c

Unmasked Vendor: Google Inc. (NVIDIA)

Unmasked Renderer: ANGLE (NVIDIA, NVIDIA GeForce GTX 1050 Ti (0x00001C8C) Direct3D11 vs_5_0 ps_5_0, D3D11)

From the test results, we can see that the values have changed when noise is overlaid, and we can conclude that the anti-detect browser is successfully spoofing our WebGL fingerprint.

##### How do anti-fraud systems detect WebGL fingerprint spoofing?

Anti-fraud systems use methods to recognize WebGL fingerprint spoofing:

- Deviation checking. The system analyzes and compares the WebGL fingerprint with device parameters, such as the maximum number of uniform variables and supported extensions. If the values do not match the actual device specifications, it may indicate a fake.

- Distortion of rendering. Anti-fraud systems can image and check how devices render certain objects. For example, if the WebGL rendering on a device does not match standard parameters, this could signal tampering.

- Parameter stability testing. There may be tests that check the stability of shaders and textures in the system, as changing them can reveal a spoofed GPU.

The most important parameters for anti-fraud systems in WebGL are: device information (unmaskedVendor, unmaskedRenderer, vendor, renderer, shadingLanguage, version, shadingLanguage2, version2), technical specifications (maxFragmentUniformVectors, maxTextureSize) and extensions.

Anti-detect browsers successfully spoof device information, let's see how anti-fraud systems can check technical parameters: let's check real values of maxFragmentUniformVectors by opening our test page <a href="test-webapi.tech/webglmaxfr" target="_blank">https://test-webapi.tech/webglmaxfr</a> in the browser, which checks the maximum number of uniform vectors under load.

Chrome browser on the computer:

The actual value is as stated in the browser properties.

Since desktop devices usually have a maxFragmentUniformVectors value of 1024, let's open the same page on an Android cell phone in the Chrome browser:

In the cell phone browser, the data obtained from the browser properties is as true.

Now let's try in the anti-detect browser to substitute the values for the phone values and repeat the test.

Let's open our test page:

The antidetect-browser with substitution of maxFragmentUniformVectors value did not pass the test, and it is logical because we run it on our computer with maxFragmentUniformVectors:1024 value

Let's perform a similar test for maxTextureSize by opening our test page <a href="test-webapi.tech/webglmaxt" target="_blank">https://test-webapi.tech/webglmaxt</a> in a browser, which checks the maximum texture size under load in the context of Webgl.

Chrome browser on a computer:

The actual value matches the one stated in the browser properties.

Since desktop devices typically have maxTextureSize set to 16384, let's open the same page on an Android cell phone in the Chrome browser:

In the cell phone browser, the data obtained from the browser properties is as true.

Now let's try in the anti-detect browser to substitute the values for the phone values and repeat the test

Let's check the value on the browserleaks.com site

Let's open our test page

Anti-detect-browser with substitution of maxTextureSize value did not pass the test, our test found that texture size 4097 is supported by our browser, and it is logical, because we run it on our computer with maxTextureSize:16384 value.

##### **Extensions** **WebGL**

Let's see how anti-fraud systems can use information about WebGL extensions to identify users. The list of extensions differs at the level of device types and manufacturers. To identify users, antifraud systems can use a check to see if each of the known extensions is supported in the user's browser. Let's look at a simple example of how this might look like:

In the example, for simplicity, there are two numbers against each WebGL extension, the first value indicates whether the extension is declared or not in the browser properties, the second number indicates whether the extension is supported or not after verification by testing. This large number of values can result in a fairly unique hash for each user.

#### **Performance Tests** **WebGL**

On the test page, let's create a program that will test the performance of the device and calculate the time in which our program will execute.

Results for desktop devices:

NVIDIA GeForce RTX 3060: 2023.6ms

AMD Radeon RX580: 1132.0ms

AMD Radeon™: 1611.2ms

Intel UHD 620: 2576.1ms

Vulkan 1.3.0: 1364.2 ms

Results for mobile devices:

Mali-G77: 3369.3 ms

Mali-G76: 5111.1ms

Adreno™ 642L: 4534.0 ms

Adreno™ 642: 5763.3 ms

Adreno™ 618: 9821.0ms

According to the test results it is noticeable that mobile devices take much longer to cope with WebGL rendering task, but a significant difference in execution time can be obtained only in tests with complex tasks, which can hardly be applied in anti-fraud systems, in tests with simple tasks it is quite problematic to draw conclusions about device performance by estimating the time spent on WebGL graphics rendering tasks.

##### **WebGL** **Amazon** **and** **Facebook** as an example
Let's take an example of two sites and see what data they get about the user using WebGL technology.

Let's open the Amazon homepage, and using the developer tools, search the java script files for functions that contain “renderer”, “canvas”, “webgl”, “vendor”, and investigate what data the site retrieves using these functions.

As a result, we'll see that Amazon's homepage site collects information about Vendor, Renderer, and Extensions properties.

Let's repeat the test on the Facebook site.

Facebook site on the account login page collects Vendor, Renderer information from the user's browser.

We can conclude that when creating new accounts on these sites, it is desirable that the WebGL properties being checked differ between accounts, and when reusing/logging in, the properties do not change within the same profile.

##### **Frames Per Second (FPS)**
This parameter measures the frequency at which the image is updated.

WebGL, allows developers to get FPS data directly from the browser, which is often used in anti-fraud systems. For the average user, in the vast majority of cases, the FPS value is at 60 or higher, while programs often reduce this value to 30, in order to reduce the load on the hardware during operation. This downward variation in FPS for anti-fraud systems is an important indicator of the use of browser automation.

#### Conclusion

Many anti-fraud systems on popular resources utilize WebGL technology and not only identify users' devices through unique graphical fingerprints, but also provide tools for fraud detection and prevention. The use of spoofing, parameter stability analysis and comparison with real device characteristics significantly increases the effectiveness of anti-fraud systems. Substitution of values and use of noise by anti-detect browsers in WebGL is not a magic way to bypass the protection of popular sites.

In the conclusion of the article, we present a possible method for detecting WebGL noise:

Changing the rendering results in WebGL using noise overlay is based on substituting pixel color values, specifically the color of semi-transparent pixels. The presented approach is under testing and does not cover all possible substitution options.

Let's proceed to the tests:

Let's open the page <a href="test-webapi.tech/webgltamper" target="_blank">https://test-webapi.tech/webgltamper</a> in a normal Chrome browser:

Repeat in an anti-detect browser without using noise:

Now let's test in an anti-detect browser with WebGL noise overlay:

Let's see how noise overlay is calculated in this approach. First we get the hex from the webgl buffer, and decode the hex in reverse order of encoding, as a result we get a color value for each pixel in the image, the sequence of these actions is completely consistent with getting values in anti-fraud systems. In the next step we compare the color of the pixel of the main part of the figure drawn with WebGL (red) and the color of the semi-transparent pixel that is on the border of the white background and the triangle, in our case we compare the values of red hue R and transparency A, as a result we get the difference of values in percent. On normal devices, the difference between the red hue and transparency of two such pixels should be the same (in theory, our pixel color should change by the same value by which its transparency value changes), but when imposing noise by swapping the colors of semi-transparent pixels, the difference in red hue and transparency between the two pixels changes.

In the screenshots from the test we see that the difference between the red hues without noise overlay has a value of R: 50.20% and the difference in the transparency of the same pixels A: 50.20%, when noise is overlaid in the anti-detect browser we get the following values R: 48.63% and A: 50.59%

In this article we have analyzed how anti-fraud systems can use WebGL technology to identify users, detect users using fingerprint spoofing. WebGL technology allows to collect a lot of information for user identification, for this reason it is often used in antifraud systems. At the same time, changing video card information (unmaskedVendor, unmaskedRenderer, vendor, renderer, shadingLanguage, version, shadingLanguage2, version2) within the same video card manufacturer's lineup allows to change the fingerprint and not arouse suspicion of anti-fraud systems.

In the next article we will continue the analysis of browser technologies used in antifraud systems.

_Bannykh M.V._

Not with us yet?

Antidetect

Canvas Technology in Anti-Fraud Systems and User Identification Methods.

The article examines Canvas technology in web development, its application in anti-fraud systems, methods of creating and spoofing fingerprints, and the impact of noise overlay on user identification.

Antidetect

26.10.24

Antidetect

Comparison of WebGPU performance and capabilities on different devices for antifraud tasks

WebGPU technology in Antifraud systems and methods of user identification

This paper describes how WebGPU technology assists anti-fraud systems in user identification and anti-fraud efforts by utilizing unique graphical fingerprints of devices. The capabilities of WebGPU in creating accurate digital fingerprints and detecting c

_Bannykh M.V._

09.11.24

WebGL technology in Anti-Fraud systems and user identification techniques

Related posts

Canvas Technology in Anti-Fraud Systems and User Identification Methods.

WebGPU technology in Antifraud systems and methods of user identification