Unveiling Privacy Risks in WebGPU through Hardware-based Device Fingerprinting

Hohentanner K, Kemmerzell N, Florschütz S (2025)

Publication Type: Conference contribution

Publication year: 2025

Publisher: Association for Computing Machinery, Inc

Pages Range: 65-75

Conference Proceedings Title: WiSec 2025 - Proceedings of the 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Event location: Arlington, VA US

ISBN: 9798400715303

DOI: 10.1145/3734477.3734700

Abstract

Privacy is a fundamental right concerned with the protection and control of personal and sensitive information. A common threat to user privacy is the monitoring and tracking of individuals during web browsing without their consent. A common technique used for this purpose is browser fingerprinting, which exploits characteristics of a user's device to create a unique identifier. Traditionally, software-based fingerprints have been used for this purpose. Recently, hardware-based fingerprinting has gained attention due to its resilience to privacy-enhancing technologies. WebGPU is a modern JavaScript API that enables webpages to efficiently utilize a device's Graphics Processing Unit (GPU) for general-purpose computation. This paper focuses on the impact of WebGPU on hardware-based fingerprinting. We show that by using this web API, the execution behaviour of a device's GPU can be characterized to reidentify the device while evading privacy mechanisms. We introduce AtomicIncrement, a novel fingerprinting approach based on the scheduling behaviour of compute shaders which is usable within WebGPU with both high accuracy and low computational impact. In our evaluation, a classifier can reidentify a device with an accuracy of 70% from a pool of 500 devices using AtomicIncrement fingerprints, highlighting the privacy threat of WebGPU-based fingerprinting for modern web browsing. A robustness analysis with over 2 million fingerprints shows that the accuracy remains stable under various device conditions.

Authors with CRIS profile

Nils Kemmerzell Lehrstuhl für Wirtschaftsinformatik, insbesondere IT-Management

Involved external institutions

Technische Universität München (TUM) DE Germany (DE) Rubean AG DE Germany (DE)

How to cite

APA:

Hohentanner, K., Kemmerzell, N., & Florschütz, S. (2025). Unveiling Privacy Risks in WebGPU through Hardware-based Device Fingerprinting. In WiSec 2025 - Proceedings of the 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks (pp. 65-75). Arlington, VA, US: Association for Computing Machinery, Inc.

MLA:

Hohentanner, Konrad, Nils Kemmerzell, and Steffen Florschütz. "Unveiling Privacy Risks in WebGPU through Hardware-based Device Fingerprinting." Proceedings of the 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2025, Arlington, VA Association for Computing Machinery, Inc, 2025. 65-75.

BibTeX: Download