AudioContext Fingerprinting: The Browser Tracker Nobody Talks About
Source: Dev.to
Overview
When we talk about browser fingerprinting, Canvas and WebGL usually steal the spotlight. However, the Web Audio API (AudioContext) is another deterministic source that is much harder to spoof without breaking modern web applications.
The Web Audio API lets web applications synthesize and process audio directly in the browser. It was designed for browser‑based games, synthesizers, and audio workstations. Because different hardware setups (sound cards, CPUs, OS audio stacks) process mathematical audio signals slightly differently, this API can be used to generate a unique hardware signature.
How AudioContext Fingerprinting Works
The technique is surprisingly simple. A tracker does not need access to your microphone—it synthesizes its own sound and measures how your hardware processes it.
- Create an
OfflineAudioContext(orwebkitOfflineAudioContextfor compatibility). - Generate a deterministic audio signal (e.g., a triangle wave at 10 kHz).
- Pass the signal through a dynamics compressor with fixed parameters.
- Render the audio offline, extract a slice of the resulting buffer, and compute a simple hash (e.g., the sum of absolute sample values).
Because the rendering is performed mathematically by the underlying audio stack, the resulting hash is:
- Deterministic – running the code repeatedly on the same machine yields the same number.
- Hardware‑bound – different browsers that share the same audio stack (e.g., Chrome and Edge) usually produce identical hashes, while a different physical machine yields a different value.
- Silent –
OfflineAudioContextrenders without playing sound, so the user never hears anything.
Sample Code
async function getAudioFingerprint() {
const ctx = new (window.OfflineAudioContext ||
window.webkitOfflineAudioContext)(1, 44100, 44100);
// Oscillator
const oscillator = ctx.createOscillator();
oscillator.type = "triangle";
oscillator.frequency.setValueAtTime(10000, ctx.currentTime);
// Compressor
const compressor = ctx.createDynamicsCompressor();
compressor.threshold.setValueAtTime(-50, ctx.currentTime);
compressor.knee.setValueAtTime(40, ctx.currentTime);
compressor.ratio.setValueAtTime(12, ctx.currentTime);
compressor.reduction.setValueAtTime(-20, ctx.currentTime);
compressor.attack.setValueAtTime(0, ctx.currentTime);
compressor.release.setValueAtTime(0.25, ctx.currentTime);
// Connect nodes
oscillator.connect(compressor);
compressor.connect(ctx.destination);
// Render
oscillator.start(0);
const buffer = await ctx.startRendering();
// Simple hash
let result = 0;
const data = buffer.getChannelData(0);
for (let i = 4500; i < 5000; i++) {
result += Math.abs(data[i]);
}
return result.toString(); // Unique AudioContext hash
}Why It Matters for Anti‑Fraud Systems
Many platforms that fight fraud or abuse run an AudioContext check. If two accounts show the same AudioHash while having different IP addresses, the system can infer that the accounts originate from the same physical machine:
Account A: IP 104.22.x.x | AudioHash 124.04183...
Account B: IP 192.42.x.x | AudioHash 124.04183...The matching hash triggers an instant flag.
Mitigation Attempts
- Blocking the Web Audio API – Extensions that completely disable the API make the user stand out, because almost all normal users allow it.
- Adding Random Noise – Some privacy tools inject noise into the rendered buffer, breaking determinism. Advanced scripts (e.g., CreepJS) can detect the noise injection itself, turning it into another fingerprinting signal.
Both approaches increase uniqueness rather than reduce it.
A More Robust Approach
A robust solution must ensure that each browser profile generates a stable but distinct AudioContext hash:
- Consistent within a single profile (appears like a normal computer).
- Different across profiles, even on the same physical machine.
Achieving this requires modifications at the browser engine level, isolating the audio stack per profile.
Solution: FireKey
FireKey is a Chromium‑based anti‑detect browser that isolates AudioContext, Canvas, WebGL, and more than 50 other parameters at the engine level for each profile. It is currently available in a free open beta, allowing you to test your isolation setup against tools such as browserleaks.com.