I know how many microphones and cameras you have

A curious little data leak, but one I struggle to care about. Perhaps useful for a bit of fingerprinting?

Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and mics. No audio or video will be sent until the user agrees.

But some metadata gets shared before you agree!

Visit the WebRTC Detection Experiment site. You'll notice that without you agreeing, the site is able to determine how many microphones you have:

Web browser asking for permission to access microphones. On the page, the number of microphones is displayed.

And how many cameras you have:
Web page showing the device has two cameras, but that webcam permission hasn't been set.

Having two cameras is perhaps a reasonable proxy for being a mobile phone / tablet. One main cam, one selfie cam.

Multiple microphones could be an indicator that the user is on a laptop. Built in microphone and an external USB microphone. Although some phones also present multiple microphones.

The names of the devices aren't sent until after you agree to the permission prompt.

There are inconsistencies between browsers:

Laptop3 mics, 1 camera1 mic, 1 camera
Android1 mic, 2 cameras3 mics, 2 cameras

It is useful to present to the user a selection of input devices. But does the site need to know how many devices are attached before permission has been granted?

The way the iPhone does it, is to present a fake set of data - one mic and one camera - until permission has been granted. Then it shows the real information.

Screenshots of the iPhone showing fake data until permission is granted.

Personally, I think the browser should only indicate a boolean to the site that AV inputs are available. Once permission is granted, then the site can request the number of devices and their names.

What do you reckon?

8 thoughts on “I know how many microphones and cameras you have

  1. It’s trivial, but also an unnecessary leak of personal info - so I think worth some noise (via an undisclosed number of microphones).

  2. Absolutely, this is something which can be used to fingerprint your device and together with other data, enables unauthorised tracking

  3. Yep. Might be trivial but who knows what this info might mean in conjunction with OTHER info. Reminds me of legal stuff around journalism - you can still get yourself in the shit for libel if you publish something that, when used together with other public info, fingers someone.

  4. Same for me in chrome and Edge on PC. Generic "speaker" and "microphone" until I grant permissions, then the other 5 appear. I guess they fixed it.
    IE just fails.

  5. Sam Hack says:

    On Arch Linux default browser shows nope to almost all of them till you grant permission.

Leave a Reply

Your email address will not be published. Required fields are marked *