What unexpected things can I learn about a user from their browser?

Question

I'm giving a class of high school students a demo of unexpected things a webpage can tell about them from their mobile - even if they're not signed in or anything. So far I have picked a couple of things most people would know about, like:

Device OS

Specific handset (unless you're on iPhone, then it's just iPhone)

Language setting

And a couple of more obscure things:

Carrier (hitting a remote service and returning JSONP since js is IP naive)

Battery level / charge status (I didn't even know you could do this until today)

Can you think of anything else cool / creepy in a similar vein that I can dig out of UA / Navigator / etc? Most of them are running Chrome under Android or iOS (which is lucky, not every browser supports the battery thing). The main event is about mobile safety and phishing so I'd like to stick to mobile phones.

Quick edit: for clarity, I'm building out a site they will go to which will actually demo these features - so unfortunately they need to be implemented, at least in Chrome, vs planned / drafts.

Answer 1

You should mention geographic location. A competent javascript library e.g. MaxMind or Google Analytics can be used to pinpoint to geographical location of users.

Answer 2

From the phishing point of view, which I consider most important, there are several dangerous things:

Phishing

• Without add-ons, browsers will not usually warn you if there's one letter different in the address you're visiting. Even though URL scheme forbids zero-width characters and other Unicode nastiness, you still can oversee l (lowercase L), 1 (one), I (upper case I). There are also many unicode characters that look like normal alphabet. Maybe there's some blacklist on unicode characters like greek letters. Check this site to play around. You can try to create some domain name like stackoverflow.com with greek ο.

• JavaScript can alter URL after domain name. But I haven't seen hosting that would give users folder names in years. Still, it's creepy to see URL change without reload:

  window.history.pushState("object or string", "Title", "/new-url");
  

• Not sure if this applies, but last years HackADay.com revealed a hack where you can change <a> href after mouse button was pressed on link, effectively changing the target URL. But then again, you can also redirect browser using javascript...

Personal data

• For this, the first thing I'd do is to check Window and Document on MDN. This is definitely gonna reveal some cool stuff that leaves battery power info just puny attempt to be scary:

  • Window:
    • Window.ondevicemotion - does what it suggests. assume you can also Window.addEventListener("devicemotion", ...)
    • Window.ondevicelight - this one is very creepy but Firefox only
    • Window.ondeviceorientation - much more widely supported event for device movement. Wanna approximate the path your user walks and draw it on canvas? Or make an application that screams "Put the fuking phone down.*" until they put it on the table?
    • Also, there's like million methods to get various screen properties. Some of those were exploited to guess OS version, as different OS's have different menu bars taking different screen portion.

  • Document:

    • document.referrer - Wanna track your users?

    • You can detect presence of ad-blocking addons by creating elements like:

      <div id="advertisment" 
        class="ad advertisment ads banner"
        style="pointer-events: none;position: absolute; opacity: 0;">NOTHING
      </div>
      

      Then fetch .getBoundingClientRect() and assert non-zero dimensions.

  • You can detect when document is being inspected by firebug. (or you could in past, when firebug actually added elements in DOM to highlight nodes). These elements are invisible in Firebug but fire DOM mutation events.
• If user confirms, sound and video can be recorded.
• I once created a script that was able to stream all DOM mutations on server allowing me to watch other user using web-site real-time. But I didn't finish it to production state unfortunately. But this is how I found about the firebug issue.
• There are other tricks to check if debug tools are running. These are usually various hacks, try to google something.
• Ever wondered if your users have CORS enabled localhost HTTP server running? I mean, isn't it worth a try?
• WebWorkers allow you to spawn threads on client machine. You could use this for distributed processing or just to burn their battery. As it doesn't affect GUI thread directly, they won't notice until it's too late. Also this sounds like a great way to generate hask cracks and crack certificates.
• You can alter copied text, possibly adding cross-site script hacks into it. Good trick is to offset your script with a shitload of spaces, so that it's not seen in typical text editor without text-wrap.
• Using Desktop notification, you can pretend you're an antivirus, windows update...

Answer 3

What about any of these...

• You can profile their interests base off search history.
• Frequency they visit and from what locations.
• Build a profile of what time in the day they visit.
• Time spent on site
• What pages they spend most amount of time on.
• Profile based of hot area's on page clicks or where mouse curer is.
• You can profile typical user behaviour.

The result of all of this is - Pushing data personalized marketing i.e what your seeing, is targeted to you, as an individual (google does this a lot with their ad's)