DEV Community

FireKey Team
FireKey Team

Posted on

AudioContext Fingerprinting: The Browser Tracker Nobody Talks About

#javascript #webdev #security #privacy

When we talk about browser fingerprinting, Canvas and WebGL usually steal the spotlight. But there's another API that's just as deterministic and much harder to spoof without breaking modern web applications: The Web Audio API (AudioContext).

What is AudioContext Fingerprinting?

The Web Audio API allows web applications to synthesize and process audio directly in the browser. It was designed for browser-based games, synthesizers, and audio workstations.

However, because different hardware setups (sound cards, CPUs, OS audio stacks) process mathematical audio signals slightly differently, this API can be used to generate a unique hardware signature.

How it works (The Code)

The technique is surprisingly simple. A tracker doesn't even need your microphone — it synthesizes its own sound and measures how your hardware processes it.

async function getAudioFingerprint() {
  const ctx = new (window.OfflineAudioContext || window.webkitOfflineAudioContext)(1, 44100, 44100);

  // Create an oscillator
  const oscillator = ctx.createOscillator();
  oscillator.type = "triangle";
  oscillator.frequency.setValueAtTime(10000, ctx.currentTime);

  // Create a compressor
  const compressor = ctx.createDynamicsCompressor();
  compressor.threshold.setValueAtTime(-50, ctx.currentTime);
  compressor.knee.setValueAtTime(40, ctx.currentTime);
  compressor.ratio.setValueAtTime(12, ctx.currentTime);
  compressor.reduction.setValueAtTime(-20, ctx.currentTime);
  compressor.attack.setValueAtTime(0, ctx.currentTime);
  compressor.release.setValueAtTime(0.25, ctx.currentTime);

  // Connect the nodes
  oscillator.connect(compressor);
  compressor.connect(ctx.destination);

  // Render the audio
  oscillator.start(0);
  const buffer = await ctx.startRendering();

  // Generate a hash from the resulting audio data
  let result = 0;
  const data = buffer.getChannelData(0);
  for (let i = 4500; i < 5000; i++) {
    result += Math.abs(data[i]);
  }

  return result.toString(); // Your unique AudioContext hash
}
Enter fullscreen mode Exit fullscreen mode

Why is this signal so dangerous?

  1. It's deterministic: Run this code 100 times on the same machine, you get the exact same number.
  2. It's hardware-bound: If you use two different Chrome profiles, or even two different browsers (like Chrome and Edge) on the same computer, the hash is often identical because the underlying audio stack is the same.
  3. It's silent: It uses OfflineAudioContext, which renders the audio mathematically in the background without playing it through your speakers. The user never hears a thing.

How it correlates multi-account users

If you manage multiple accounts (for social media marketing, e-commerce, or testing), you likely use a VPN to rotate your IP and separate browser profiles to isolate your cookies.

But if the platform runs an AudioContext check (which many modern anti-fraud scripts do), they see this:

  • Account A: IP 104.22.x.x | AudioHash 124.04183...
  • Account B: IP 192.42.x.x | AudioHash 124.04183...

The system instantly flags that these two "different" users are operating from the exact same physical machine.

How to protect against it

The naive approach: Blocking the API

You could use extensions to block the Web Audio API entirely. The problem? Blocking it makes you more unique. Very few normal users disable Web Audio. By blocking it, your fingerprint becomes "The guy who blocks Web Audio," which is a massive red flag for anti-fraud systems.

The spoofing approach: Adding noise

Some privacy extensions try to add random noise to the output buffer. This breaks the determinism (you get a different hash every time), but advanced tracking scripts (like CreepJS) can detect the noise injection itself.

The isolation approach (The right way)

The only robust solution is ensuring that each browser profile generates a stable but different AudioContext hash. It must be consistent within the same profile (so it looks like a normal computer), but completely distinct from your other profiles.

This requires modifying the browser engine itself.

I spent the last few months building FireKey to solve this exact problem. It's a Chromium-based anti-detect browser that isolates AudioContext, Canvas, WebGL, and 50+ other parameters at the engine level for each profile. It's in free open beta if you want to test your isolation setup against tools like browserleaks.com.

Top comments (0)