[SOLVED] Fingerprint Issue with Brave

h44z

Hi,

i recently encountered a problem with the Brave browser:

it seems that Brave changes the Accept-Language request header which breaks the WebApp’s fingerprinting functionallity.

For example, the initial login request has a Accept-Language header like

Request URL: https://webmail.kopano.com/webapp/

Accept-Language: de-AT;q=0.6

Requests to CSS or JS resources then have a different Accept-Language header:

Request URL: https://webmail.kopano.com/webapp/index.php?version=5.2.0.0-1+168.1&load=translations.js&lang=de_DE.UTF-8

Accept-Language: de-AT,de;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6,en-AT;q=0.5

If we now take a look at the fingerprinting mechanism, we can see that this results in different hash values -> the request for the translation.js script will terminate the whole WebApp session =(

public static function getFingerprint() {
		$properties = array();
		
		$properties['HTTP_ACCEPT_LANGUAGE'] = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : 'HTTP_ACCEPT_LANGUAGE_NOT_FOUND'; // <--- THIS IS PROBLEMATIC
		$properties['HTTP_USER_AGENT'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'HTTP_USER_AGENT_NOT_FOUND';
		$properties['REMOTE_USER'] = isset($_SERVER['REMOTE_USER']) ? $_SERVER['REMOTE_USER'] : 'REMOTE_USER_NOT_FOUND';
		
		return md5(json_encode($properties));
	}

Has anyone experienced a similar problem and knows a fix for that browser behaviour? For now I just changed the hash calculation to exclude the Accept-Language header…

h44z

Okay never mind, found the problem: seems that the new Brave release enabled a anti-fingerprinting technique by default:

Disabling this feature in the Brave Shields settings fixes the problem.