OS Detection without Useragent String?

Forum Moderators: DixonJones

Message Too Old, No Replies

OS Detection without Useragent String?

See firefox home page.

Sunnz

4:29 pm on Mar 25, 2008 (gmt 0)

Hi, first poster here I guess... hope my question isn't too n00bish.

I've been playing around with useragent string lately, because it seems to be the way of detecting user's browser/OS... but it can be very unreliable, as these can be changed very easily with modern web browsers.

But if you look at web sites like www.mozilla.com/firefox, it seems like they are not using the useragent string for OS detection! Today I have modify my useragent string to a non-existing OS and browser, and mozilla.com is still be to detect my real OS!

So I am wondering how did they do that? Is there some other techniques for OS detection? They are not using OS fingerprinting are they?

Thanks.

phranque

1:34 am on Mar 26, 2008 (gmt 0)

have you checked the values of all your sent headers?
cleared your cookies?

vincevincevince

2:11 am on Mar 26, 2008 (gmt 0)

Capabilities are far harder to spoof. A simple test is to check if various javascript objects or methods known to only be supported in certain browsers or operating system implementations of those browsers exists.

Sunnz

5:55 am on Mar 26, 2008 (gmt 0)

No I haven't checked all values sent... I don't know what to look for...

As for cookies, I used several laptops that has not been to firefox's website... so I think it is irrelevant.

Yes browser capabilities can be used to determinate the browser... but what about the OS? I ran Firefox on different OS's and the mozilla firefox home page can still detect the real OS reliably.

Sunnz

5:56 am on Mar 26, 2008 (gmt 0)

I guess the real question is... does anyone know how can you prevent firefox's homepage's OS detection... if you can do that, you would have know what technique they used, right?

phranque

7:32 am on Mar 26, 2008 (gmt 0)

welcome to WebmasterWorld [webmasterworld.com], Sunnz!

have you tried spoofing the user agent AND turning off javascript?

As for cookies, I used several laptops that has not been to firefox's website... so I think it is irrelevant.

it may be irrelevant but if you are redirected to the page you see it isn't technically your first visit...

Achernar

11:49 am on Mar 26, 2008 (gmt 0)

They use this technique:

// Borrowed from addons.mozilla.org - thanks :)
var PLATFORM_OTHER = 0;
var PLATFORM_WINDOWS = 1;
var PLATFORM_LINUX = 2;
var PLATFORM_MACOSX = 3;
var PLATFORM_MAC = 4;
// Default to windows
var gPlatform = PLATFORM_WINDOWS;
if (navigator.platform.indexOf("Win32") != -1)
gPlatform = PLATFORM_WINDOWS;
else if (navigator.platform.indexOf("Linux") != -1)
gPlatform = PLATFORM_LINUX;
else if (navigator.userAgent.indexOf("Mac OS X") != -1)
gPlatform = PLATFORM_MACOSX;
else if (navigator.userAgent.indexOf("MSIE 5.2") != -1)
gPlatform = PLATFORM_MACOSX;
else if (navigator.platform.indexOf("Mac") != -1)
gPlatform = PLATFORM_MAC;
else
gPlatform = PLATFORM_OTHER;

Sunnz

11:59 am on Mar 26, 2008 (gmt 0)

Well turning off JavaScript does the trick, so they indeed used JavaScript.

And I tried changing the user agent string within my web browser, it indeed seems like what they use! Sometimes I got weird result.

Achernar

1:18 pm on Mar 26, 2008 (gmt 0)

The useragent string is only used to detect MacOSX.

Sunnz

1:33 pm on Mar 26, 2008 (gmt 0)

Ah, I see, detecting OS can be pretty complicated even with JavaScript?

Achernar

2:37 pm on Mar 26, 2008 (gmt 0)

It depend on what information the browser shows to javascript.
Their method is also pretty basic.

On the same front you have browser detection. I've seen most sites, even google, using basic detection that can be spoofed easily by simply changing the user-agent. In fact there are alternative methods to better detect the type of browser. So far, the code I use hasn't reported false positives (100% reliable for FF, IE, Op). I'm sure a solid method can also be devised for OS detection.