Can websites analyze your Hardware?

General Privacy & Security
1

Since a few days i get the following error when trying to visit mobile.de:

Access denied
Reference Error: 0.117a2617.1764711957.197945c0

Unfortunately, automated access to this page was denied.
If you are interested in accessing our data, please contact us

I tried different browsers (firefox, chrome, opera), deleting cookies/website data, no browser addons and using a VPN. → Did not solve my problem.
On my Laptop which is connected to the same fritzbox the website works without a problem. But if i use a Virtualbox Linux Mint instance on the laptop i once again get the same error message.

I contacted mobile.de and sent a few emails back and forth but they are just replying with generic, useless answers.

Now my desktop is a workstation with somewhat exotic hardware:

System:
  Kernel: 6.1.0-38-amd64 arch: x86_64 bits: 64 Desktop: KDE Plasma v: 5.27.5
    Distro: MX-23.6_KDE_x64 Libretto April 13 2025
Machine:
  Type: Kvm System: Supermicro product: SYS-551A-T v: 0123456789
    serial: <superuser required>
  Mobo: Supermicro model: X13SWA-TF v: 1.01 serial: <superuser required>
    UEFI: American Megatrends LLC. v: 2.1b date: 05/28/2024
CPU:
  Info: 60-core model: Intel Xeon w9-3595X bits: 64 type: MT MCP cache:
    L2: 120 MiB
  Speed (MHz): avg: 1087 min/max: 800/4600:4700:4800 cores: 1: 800 2: 800
    3: 800 4: 4089 5: 4300 6: 4136 7: 3070 8: 800 9: 4209 10: 800 11: 800
    12: 800 13: 800 14: 4220 15: 800 16: 4179 17: 800 18: 800 19: 800 20: 800
    21: 800 22: 800 23: 800 24: 800 25: 3400 26: 800 27: 800 28: 800 29: 800
    30: 800 31: 800 32: 800 33: 4215 34: 800 35: 800 36: 800 37: 800 38: 800
    39: 800 40: 800 41: 800 42: 800 43: 800 44: 800 45: 3684 46: 800 47: 3750
    48: 800 49: 800 50: 800 51: 800 52: 800 53: 800 54: 800 55: 800 56: 800
    57: 800 58: 800 59: 800 60: 800 61: 800 62: 800 63: 800 64: 800 65: 800
    66: 800 67: 800 68: 800 69: 800 70: 800 71: 800 72: 800 73: 800 74: 800
    75: 800 76: 800 77: 800 78: 800 79: 800 80: 800 81: 800 82: 800 83: 800
    84: 800 85: 800 86: 800 87: 800 88: 800 89: 800 90: 800 91: 800 92: 800
    93: 800 94: 800 95: 800 96: 800 97: 800 98: 800 99: 800 100: 800 101: 800
    102: 800 103: 800 104: 800 105: 800 106: 800 107: 800 108: 800 109: 800
    110: 800 111: 800 112: 800 113: 800 114: 800 115: 800 116: 800 117: 800
    118: 800 119: 800 120: 800
Graphics:
  Device-1: ASPEED Graphics Family driver: N/A
  Device-2: AMD Navi 31 [Radeon Pro W7800] driver: amdgpu v: kernel
  Display: x11 server: X.Org v: 1.21.1.7 with: Xwayland v: 22.1.9 driver: X:
    loaded: amdgpu unloaded: fbdev,modesetting,vesa dri: radeonsi gpu: amdgpu
    resolution: 2560x1440~60Hz
  API: OpenGL v: 4.6 Mesa 25.0.7-2~mx23ahs renderer: AMD Radeon Pro W7800
    (radeonsi navi31 LLVM 15.0.6 DRM 3.49 6.1.0-38-amd64)
Audio:
  Device-1: Intel Alder Lake-S HD Audio driver: snd_hda_intel
  Device-2: AMD Navi 31 HDMI/DP Audio driver: snd_hda_intel
  Device-3: VIA VT1720/24 [Envy24PT/HT] PCI Multi-Channel Audio
    driver: snd_ice1724
  API: ALSA v: k6.1.0-38-amd64 status: kernel-api
  Server-1: PipeWire v: 1.0.0 status: active
Network:
  Device-1: Intel I210 Gigabit Network driver: igb
  IF: eth0 state: down mac: <filter>
  Device-2: Aquantia AQC113C NBase-T/IEEE 802.3an Ethernet [Marvell
    Scalable mGig] driver: atlantic
  IF: eth1 state: up speed: 1000 Mbps duplex: full mac: <filter>
  Device-3: Intel Ethernet X550 driver: ixgbe
  IF: eth2 state: down mac: <filter>
  Device-4: Intel Ethernet X550 driver: ixgbe
  IF: eth3 state: down mac: <filter>
  IF-ID-1: usb0 state: unknown speed: -1 duplex: half mac: <filter>
Bluetooth:
  Device-1: Insyde RNDIS/Ethernet Gadget type: USB driver: rndis_host
Drives:
  Local Storage: total: 86.88 TiB used: 12.42 TiB (14.3%)
  ID-1: /dev/nvme0n1 vendor: Micron model: 7450 MTFDKBG3T8TFR size: 3.49 TiB
  ID-2: /dev/nvme1n1 vendor: Micron model: 7450 MTFDKBG3T8TFR size: 3.49 TiB
  ID-3: /dev/nvme2n1 vendor: Micron model: 7450 MTFDKBG3T8TFR size: 3.49 TiB
  ID-4: /dev/sda vendor: Seagate model: ST22000NM001E-3HM103 size: 20.01 TiB
  ID-5: /dev/sdb vendor: Seagate model: ST22000NM001E-3HM103 size: 20.01 TiB
  ID-6: /dev/sdc type: USB vendor: Seagate model: ST20000NM007D-3DJ103
    size: 18.19 TiB
  ID-7: /dev/sdd type: USB vendor: Seagate model: ST20000NM007D-3DJ103
    size: 18.19 TiB
Partition:
  ID-1: / size: 3.44 TiB used: 146.96 GiB (4.2%) fs: ext4 dev: /dev/nvme0n1p2
  ID-2: /boot/efi size: 252 MiB used: 274 KiB (0.1%) fs: vfat
    dev: /dev/nvme0n1p1
Swap:
  ID-1: swap-1 type: file size: 22 GiB used: 0 KiB (0.0%) file: /swap/swap
Sensors:
  System Temperatures: cpu: 46.0 C mobo: N/A gpu: amdgpu temp: 39.0 C
  Fan Speeds (RPM): N/A gpu: amdgpu fan: 1024
Info:
  Processes: 1147 Uptime: 20d 6h 14m Memory: 503.33 GiB used: 14.52 GiB (2.9%)
  Shell: Bash inxi: 3.3.26

According to ChatGPT it is possible for websites to analyze my hardware and then
flag me as a “bot” because what i’m using looks more like a server than a desktop machine.
I never heard of or seen that though.

ChatGPT also suggested using LibreWolf because that would kinda “hide/fake” my hardware and sure enough that works.
When using LibreWolf i can visit mobile.de but not if i use regular firefox.
But using 2 browsers is impractical and according to ChatGPT websites can also detect how many cpu cores i have etc. and this is apparently information that LibreWolf can’t hide.
So its probably only a matter of time until this “fix” stops working.

So is this real and something new, up and coming for the year 2026?
Do i have to worry that more and more websites will adapt this kind of technology starting in 2026?

Or is something completely different going on?
But it sure looks like they really analyze visitors hardware.

2 Likes
2

With not really knowing all the details, I’m inclined to say no, your hardware processors do not make any difference here. It should not show up to the browser. Here is a comparison site (https://privacytests.org/) that lists quite a lot of things that websites try to do to get info and here is another (https://coveryourtracks.eff.org/) that should show what kind of fingerprint you leave. Problem being that there can be tactics that aren’t listed in those, of course. Also note that not all browsers are equal in covering user privacy.

On the other hand, one reason that I can think of why this could be done by the website, is to stave off AI crawlers (see: Testing anubis to prevent LLM bots from taking down source.puri.sm)

1 Like
3

Depends on exactly what you mean by ‘analyze’.

Can they fingerprint your hardware device? Absolutely.

Take a look at this website and their marketing claims. Then test against your own devices, mobile and workstation.

1 Like
4

Yes, they can - to a degree.

For example, any Javascript that can execute multiple threads without restriction can probe how many CPUs you have (approximately). And that is just the tip of the iceberg.

Have you tried a VM on the desktop? i.e. where you can limit the available resources for the VM. However I acknowledge that a VM on the laptop was a step backwards.

Is the web site operator able to confirm that if you disable Javascript then the web site 100% will fail?

Why? I do that (more than 2 in fact) all the time, for improved resistance both to fingerprinting and compromise.

Nice rig BTW. :wink:

1 Like
5

See also: (Cross-)Browser Fingerprinting via OS and Hardware Level Features

1 Like
6

Here’s what i just found out…

If i do the following in Firefox ESR then mobile.de works again:

1. about:config

2. privacy.resistFingerprinting -> Set to: true

3. Restart Firefox ESR

4. Navigate to "mobile.de" (or any website that blocks you based on fingerprint)

5. Delete Cookies/Website Data from mobile.de (or any website that blocks you based on fingerprint)

6. Reload Page (F5)

7. privacy.resistFingerprinting -> Set to: false

8. Restart Firefox ESR

Note that i do revert the privacy.resistFingerprinting at the end but mobile.de keeps working UNLESS i delete the cookies again.

Do you guys think they use WebGL Fingerprinting the first time someone visits their site and then set a cookie that determines if you are blocked or not?

https://www.zenrows.com/blog/webgl-fingerprinting#what-is-webgl-fingerprinting

Or do you think they go further than just looking at WebGL?

Because if it’s just WebGL i could probably fix it by using a Consumer GPU instead.
But then on the other hand for how long would this fix it until they come up with even deeper analytics…

1 Like
7

I run Firefox permanently with privacy.resistFingerprinting set to true.

(It is most likely the case that if there is some web site that won’t work unless it is false, I would simply not use that web site. Firefox appears to offer privacy.resistFingerprinting.exemptedDomains if there were such a web site that I really really wanted to use.)

PS I also toss everything away on Firefox exit. Yes, that is a bit harsh on the internet connection, but not only is it usually better privacy and security to do that but also it can solve some weird web site problems.

1 Like
8

At first i thought it might only be WebGL Fingerprinting:

https://www.zenrows.com/blog/webgl-fingerprinting#what-is-webgl-fingerprinting

But doing this

1. google-chrome --disable-webgl or --disable-3d-apis

2. Navigate to "mobile.de" (or any website that blocks you based on fingerprint)

3. Delete Cookies/Website Data from mobile.de (or any website that blocks you based on fingerprint)

4. Reload Page (F5)

Source: WebGL Browser Report - WebGL Fingerprinting - BrowserLeaks

Disables WebGL but does not fix the problem. So they are obviously looking at more than just WebGL when creating their fingerprint.

Which brings me back to the original question if i have to fear being kicked out of many websites in the future because of my unusual hardware being flagged as a fraudster of bot.

1 Like
9

As an aside, I would imagine that they are concerned about scraping, more so than LLM learning.

1 Like
10

Unfortunately it looks like the cookies from mobile.de only last for about 1 day. So i would have to do this over and over again or keep the settings “true” permanently which probably risks compatibility problems with other websites. Because of that i think i will just use LibreWolf for browsing mobile.de at this point.

But i’m still wondering if this site is an outlier or if this is one of the “cool” new things for 2026.
Is this (fingerprinting users with their hardware) actively being pushed / sold to developers?

11

The only viable solutions I have found to the browser and device fingerprinting issue is running dedicated VMs via QubesOS, or SimplifiedPrivacy’s HydraVeil product which takes a unique hybrid approach.

12

… well, as I said, I run permanently with true and don’t particularly have a problem with web sites in general. Conversely though, I therefore can’t tell you whether false with the failure in the OP will be the cool new thing for 2026 - but then I don’t have a bot-sized rig as my desktop :wink: and FWIW mobile.de works for me.

And, as said, it looks as if you can exempt a set of other web sites from “resist fingerprinting” if you had to - however I am not doing that (no web sites are in my list to exempt).

13

One avenue for troubleshooting your fingerprinting (or not…) issue, would be to examine what scripts are downloaded and executed (if not blocked by NoScript/UBO and such similar extensions) at page load under the different situations you described (alternate browser, about:config mods, cookies and site data)

Hitting the F12 key inside Firefox and derived browsers will display the dev console - choose the network tab and reload. You will see all the scripts that were downloaded for that page. First thing I would look for, is to confirm whether a fingerprinting script is actually being used - because all the commonly used fingerprinting scripts are well known and due to unimaginative developers, they all say what they do in their names: fp.js, fpjs, fpjs2, fingerp.js, fingerprinting.js, etc…

This way, you could at least confirm if a known fingerprinting script is being used, or if they have a particular more sophisticated method/script/CSS/XHR/fetch/websocket for achieving their devilish task.

2 Likes