What Is Media Devices Fingerprinting?

By the Scrappey Research Team

Paste into ChatGPT, Claude, or any LLM

What Is Media Devices Fingerprinting? — conceptual illustration

On this page

Media devices fingerprinting reads the list of cameras, microphones, and speakers a browser reports via navigator.mediaDevices.enumerateDevices(). This is a built-in browser function that lists the audio and video hardware attached to your machine. It returns one entry per audio input (mic), audio output (speaker), and video input (camera), each with a kind, a stable hashed deviceId, a groupId (which links devices that belong to the same physical unit), and - once you grant permission - a human-readable label. The number and shape of those devices is a fingerprint signal, and the common headless failure - reporting zero devices, or a single suspicious default - is a reliable bot tell (headless means a browser running with no visible screen, typically on a server).

API	navigator.mediaDevices.enumerateDevices()
Reads	Counts of audioinput / audiooutput / videoinput, deviceId, groupId, labels
Headless tell	Empty list, or zero audiooutput devices, on a claimed desktop
Permission gate	Labels are blank until camera/mic permission is granted
Coherence	Device counts should match the claimed platform (Mac always has output)

What the device list reveals

Even before you grant permission, enumerateDevices() returns one object per device with its kind (audioinput, audiooutput, or videoinput) and a non-empty deviceId/groupId; only the label stays blank until the user grants camera or microphone access. So a site learns how many devices of each type exist and how they are grouped - enough to tell what class of machine it is. A typical laptop reports at least one microphone, one camera, and one or more audio outputs; a desktop without a webcam reports a microphone and output but no video input.

The numbers cluster by device type and stay stable per machine. That makes them a low-entropy but coherent signal - on its own it does not narrow you down to one person (entropy = how much a value pins down who you are), but it has to agree with the rest of the fingerprint.

The headless tell

Headless browsers on servers usually have no real media hardware, so enumerateDevices() returns an empty array (an empty list) or a single placeholder. On a request claiming to be a normal desktop or laptop, zero devices - particularly zero audiooutput - is anomalous, because real consumer machines almost always have at least a default audio output. macOS in particular always exposes audio output devices, so a "MacBook" with none is incoherent.

Chrome flags like --use-fake-device-for-media-stream add synthetic devices, but those fakes have recognisable default labels and group structure that differ from real hardware. As with audio and WebGL fingerprinting, the believable fix is a device list copied from a real machine of the claimed class, served consistently for the whole session, rather than a generic fake.

Code example

javascript

// Device enumeration an anti-bot script reads (no permission needed for counts)
async function deviceFingerprint() {
  const devs = await navigator.mediaDevices.enumerateDevices();
  const count = { audioinput: 0, audiooutput: 0, videoinput: 0 };
  for (const d of devs) count[d.kind] = (count[d.kind] || 0) + 1;
  return count;   // e.g. { audioinput:1, audiooutput:2, videoinput:1 }
}

// Server-side suspicion (pseudo):
//   devs.length === 0                       -> headless / no hardware
//   /Macintosh/.test(ua) && audiooutput===0 -> incoherent (Macs always have output)
//   all labels blank AND permission granted -> spoof artifact

Related terms

What Is Browser Fingerprinting?

Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…

What Is AudioContext Fingerprinting?

AudioContext fingerprinting plays a silent waveform through the Web Audio API, then reads back the resulting floating-point samples and hash…

What Is Headless Browser Detection?

Headless browser detection is the set of probes anti-bot systems use to distinguish a headless or instrumented Chrome session from a real us…

What Is a WebRTC IP Leak?

A WebRTC IP leak is when your browser quietly reveals your real IP address — even though you set up a proxy to hide it. It is the most-overl…

What Is Fingerprint Clustering?

Fingerprint clustering is the practice of grouping fingerprints from millions of real visitors by similarity, then rejecting any new visitor…

What Is Camoufox?

Camoufox is a fork of Firefox with anti-fingerprinting patches applied at the C++ build level. That phrase matters: most anti-fingerprinting…

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…

How Browser Fingerprinting Works

Browser fingerprinting is how a site combines signals — canvas, WebGL, audio, fonts, navigator probes, TLS (the encryption layer behind http…

Anti-Bot Vendor Detection Cheatsheet

A useful first step when working with any protected site you are authorized to access is identifying which anti-bot vendor sits in front of …

How Do Websites Detect Web Scrapers?

Websites spot scrapers by gathering hundreds of small clues about each visitor, then scoring how human the whole picture looks. No single cl…

Concept map

How Media Devices Fingerprinting connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

Can a site read my camera and microphone names without permission?

It can read how many input and output devices exist, plus their kind and grouping, without permission - but the human-readable names (labels) stay blank until you grant camera or microphone access. The counts alone are enough to characterise the machine and to catch a headless browser reporting zero devices.

Why is an empty device list a bot signal?

Because real consumer desktops and laptops almost always have at least a default audio output, and usually a microphone. A server-hosted headless browser typically has no media hardware, so enumerateDevices() returns an empty array - which, on a request claiming to be a normal computer, is anomalous, especially the absence of any audiooutput.

Do Chrome fake-device flags fix this?

Partly - they make the list non-empty, but the synthetic devices have default labels and group structure that differ from real hardware and can be recognised. A device list copied from a real machine of the claimed class and served consistently is more convincing than the generic fakes.

Last updated: 2026-05-31