At the authentication stage, the clicker’s frontend makes a POST request to
https://api.hamsterkombatgame.io/auth/auth-by-telegram-webapp .
In the body of the request, in addition to the Telegram user data required for authentication, the fingerprint property is transmitted, containing the user ID hash and a set of information typical of the browser fingerprint. The fingerprintjs library is used to generate the fingerprint. In its free version, it allows you to identify the user with an accuracy of 40-60%, while the paid commercial version increases the figure to 99.5%. Hamster Kombat uses the free version 4.2.1, downloaded from the npm directory.
For those unfamiliar, Hamster Kombat is an in-game Telegram clicker game where players earn fictitious currency by completing simple tasks, with rewards for logging in daily.
Like other mobile clicker games, the basic gameplay of Hamster Kombat involves repeatedly tapping the screen to gain more points.
Recently, I needed to run a web application built into Telegram, called Mini App, in a regular browser.
The object of study was the most popular clicker at the moment, Hamster Kombat. The solution was a script for the TamperMonkey browser extension, in which I implement the window.Telegram object with a substituted property platformto bypass the check that the application is launched on a mobile device. But the most interesting thing turned out to be something else.
While searching for a solution, I came across some curious behavior of the clicker. At the authentication stage, the frontend makes a POST request to https://api.hamsterkombatgame.io/auth/auth-by-telegram-webapp. In the body of the request, in addition to the Telegram user data required for authentication, the property is transmitted fingerprint, containing the user ID hash and a set of information typical of the browser fingerprint.
What is a browser fingerprint and what does Telegram have to do with it?
A browser fingerprint is a set of information about a user’s browser and system obtained when visiting a web page. It may include:
- User-agent
- information about installed extensions;
- data on the nuances of the browser’s graphics engine;
- information about the hardware and sensors of the device;
- list of available fonts;
- time zone;
- system language
- and many other data.
Most browsers have their own unique combination of these characteristics, which are suitable for tracking a person’s movements online without their knowledge. Clearing cookies and private mode will not help.
You can check how much information is available about you in a browser with JavaScript enabled on a special site from the Electronic Frontier Foundation: https://coveryourtracks.eff.org/ . Some properties narrow the sample to hundredths of a percent of visitors, and the combination of all the properties leads to a single browser of a specific person, so most likely you will get a message that your browser fingerprint is unique. Let me immediately stipulate that this statement is true for browsers without built-in tracking protection.
Websites can use this technology to protect you – for example, when an attacker tries to log into your bank account using stolen data, the bank will require additional confirmation, since the browser fingerprint has changed. But the browser fingerprint can also be used against you, sniffing out your actions in situations where you wanted to remain incognito – for example, you anonymously exchanged cryptocurrency through an exchanger that has such a fingerprint tracker installed. Its owners will be able to de-anonymize you when you use the same browser to visit a website where you leave your personal data along with the fingerprint.
Finding details
But let’s get back to Hamster. Here are some of the parameters I saw in the transmitted fingerprint:visitorId, fonts, fontPreferences, languages, screenResolution, timezone, platform, vendor, math (acos, acosh, asin...), webGlBasics.
Almost all parameters contained some value. Additionally, without the library’s participation, the user’s User-agent and IP address were transmitted to the web server, and information about the user’s language was transmitted from the Telegram client.
Having studied the source code, I found out that the fingerprintjs library was used to form the fingerprint . In its free version, it allows identifying the user with an accuracy of 40-60%, while the paid commercial version increases the figure to 99.5%. Hamster uses the free version 4.2.1, downloaded from the npm directory .
I wondered, is it possible to use a fingerprint taken in the Telegram browser to track a user outside the messenger, that is, ideally, to determine the user’s Telegram account when visiting a website?
The Telegram client uses a component specially created for embedding a browser. In Android, this is Android System WebView , in iOS – WebKit. And, to answer the question, I decided to take fingerprints from embedded and regular browsers and compare the degree of similarity of fingerprints from different browsers and the browser in the Telegram client. I did not check the web version of Telegram, since everything is obvious there.
Measurements
To take the browser fingerprint, I used the EFF service CoverYourTracks . It provides statistics on all fingerprint characteristics, namely the percentage of browsers with identical characteristics among site visitors over the past 45 days (approximately 170,000 fingerprints).
To take a fingerprint in the Telegram client, I created a bot in which I added some fingerprinting sites as mini-apps, here it is: https://t.me/miniapp_test1_bot
I researched the following devices and browsers:
Android 11 – Xiaomi smartphone with August 2022 update. In addition to WebView, I checked the fingerprints of Chrome and Firefox browsers.
GrapheneOS latest update. This version of Android uses Vanadium as the default browser and WebView component , a fork of chromium with some changes towards security. Firefox and Brave are also checked.
iPad tablet – latest update. Here I tested WebKit, Safari and Brave.
I didn’t include all fingerprint characteristics in the table, only the most critical ones. Also, I didn’t include the user’s IP address, which can be changed using a VPN. But it’s worth keeping in mind that this address itself can also be a unique fingerprint of the user on the network – for example, if a personal VPN server or a dedicated IP is used. Or, at a minimum, it can be that bit of information that narrows down the subset of visitors with identical characteristics to your device.
Measurement results
The values in the table are taken directly from the statistics issued by the EFF. The number should be understood as follows: every n-th browser has this characteristic value. If the numbers match, then the values match. To get the percentage of browsers, you should divide one by this number.
Android 11
Canvas
WebGL
WebGL Vendor & Renderer
User-agent
HTTP_ACCEPT
Platform
Screen
Language
telegram (WebView)
350.28
533.05
370.84
170575
42643.75
44.9
202.1
74.75 (en)
chrome
350.28
533.05
370.84
258.07
156.64
8.85
202.1
49.37 (ru-RU)
firefox
170638
10037.53
450.23
170638
6319.93
44.9
202.1
49.37 (ru-RU)
GrapheneOS
telegram (WebView)
278.83
672.27
584.48
85042
56694.67
44.9
75.23
74.75 (en)
vanadium
278.83
736.31
301.57
264.93
41.77
8.85
75.23
1.74 (en-US)
firefox
812.79
627.52
135.57
1855.28
18965.11
8.85
75.23
1.74 (en-US)
brave
randomized
randomized
301.57
155.86
82.29
8.85
75.23
1.74 (en-US)
ipad
telegram (WebKit)
23.44
34.42
8.71
4859.77
497.35
8.03
566.97
151.06 (ru)
safari
23.44
34.42
8.71
39.27
497.35
8.03
566.97
151.06 (ru)
brave
23.44
34.42
8.71
39.27
497.35
8.03
566.97
151.06 (ru)
Android
The User-agent value is different in all cases, so we will not take it into account.
The characteristics of Canvas and WebGL look more interesting. As we can see, in the case of Android 11, both are identical for the browser in Telegram and for Chrome: the WebGL property allows you to select 0.0018% of users (320 out of 170,000), Canvas – 0.002% (485 users).
In the case of GrapheneOS, the WebGL property differs between browsers, but the Canvas fingerprint is the same (611 users).
Interestingly, the Language property in the built-in browser did not match the system language on both Android devices and was always “en”. However, the user language is transmitted by Telegram itself when authenticating the mini-application (property language_code) and can be used for tracking.
The situation is different for Firefox and Brave. Brave’s built-in tracking protection eliminates the possibility of tracking by the graphics engine fingerprint, since this value is randomized. Firefox, built on its own engine, produces completely different values and does not correlate with WebView.
iOS
Since all browsers in iOS are limited by the Safari engine, all characteristics except User-agent are the same. At the same time, due to the standardization of iOS platform versions, characteristics such as Canvas and WebGL are not very specific to a particular device. Thus, the most specific WebGL characterizes 2.9% of users (5000 out of 170000). However, the set of tracked users can be narrowed down by other characteristics. Screen resolution in my case narrows the search to 300 users out of 170000, and the HTTP_ACCEPT characteristic – to 340 users.
Next, using two more online services, I tested how applicable more accurate fingerprint identification methods were.
Fingerprint.com
The demo version of the commercial library assigns unique visitorId identifiers to all browsers on all platforms with a confidence value of 1. This means that this identifier works well for tracking a single browser instance, but is not suitable for cross-tracking the embedded and primary browsers, as it considers them different instances. However, the full paid version of the library provides the developer with the raw characteristics used to calculate the identifier, which can help link fingerprints.
browserleaks.com/canvas
This version of the Canvas fingerprint, unlike the EFF test, was similar to the Fingerprint identifier and returned 100% uniqueness across all Android browsers, including WebView. In the case of iOS, the Canvas fingerprint hash matched across WebKit and browsers. Of the 156,000 users, 4,000 had the same Canvas fingerprint.
Conclusions
As you can see, tools for calculating a unique browser identifier, such as Fingerprint , are not suitable for tracking a user through Telegram’s built-in browser. They are too precise and consider the built-in and basic browsers to be different instances. However, certain characteristics, such as Canvas and WebGL, match and can potentially be used for identification, since they narrow the search range among fingerprints to hundredths of a percent of visitors. The user’s IP address and additional manual analysis of user data obtained from open sources can play a decisive role in the selection.
For Android, the requirement is that the visitor use the Chrome browser. This means that an Android user should use something else to protect themselves from tracking, such as Firefox or Brave. iOS users are in a double bind: on the one hand, their WebKit fingerprint is almost identical to any available browser, on the other hand, this fingerprint is identical to many other users.
And what about the Hamster?
The most critical properties of Canvas and WebGLExtensions are excluded from the data that Hamster Kombat sends to developers, probably because they are too large. Thus, developers deprive themselves of the most valuable characteristics of Canvas and WebGL for the task of tracking. Only the WebGLBasics property is left (in the table, this is the WebGL Vendor & Renderer column). From this, I conclude that the fingerprint is not taken with the purpose of tracking users outside of Telegram, but in order to either identify multiple accounts of one person on one device (via the property visitorId), or to identify bots running in emulators (via a characteristic set of device data).
