What Is WebAssembly Fingerprinting?

Paste into ChatGPT, Claude, or any LLM

On this page

WebAssembly fingerprinting is a 2026 detection layer that probes the actual CPU through WASM SIMD instructions and uses WebAssembly.Memory({shared:true}) as a high-resolution timer. Both signals run natively, below the JavaScript hooks that Camoufox, CloakBrowser, PatchRight, and similar stealth tools patch. Anti-bots increasingly include WASM probes in their scoring payloads, which means stealth browsers leak even when their visible APIs are perfectly aligned.

Two probe types	SIMD CPU timing + SharedArrayBuffer timer
Timer resolution	~100,000 Hz — distinguishes ~6 µs intervals (17× finer than performance.now)
Reveals	CPU microarchitecture (NEON, SSE, AVX), vector register width
Defeats	Camoufox, CloakBrowser, PatchRight, undetected-chromedriver — all patch JS, not WASM
Status	Live in DataDome scoring (May 2026), Chrome marked the leak Won't Fix (crbug 40057687)

WASM SIMD probes the CPU itself

WebAssembly SIMD gives browsers access to 128-bit vector operations that map directly to CPU instructions. Anti-bots ship tiny WASM modules that execute SIMD ops in deterministic patterns and time them. The results reveal vector register width, NEON (ARM) vs SSE (older Intel/AMD) vs AVX (modern x86) availability, and microarchitecture quirks unique to each CPU model.

The crucial property: stealth browsers patch what the browser reports about itself. WASM SIMD probes the actual silicon. A real Mac with M2 silicon cannot be spoofed to look like an Intel laptop, because the timing fingerprint comes from the chip, not the browser. Source: Anthony Manikhouth, DataDome detection engineer, blog.azerpas.com, May 2026.

SharedArrayBuffer = 17× timer precision

Chrome floors performance.now() at 100 µs on non-isolated pages to prevent Spectre-style timing attacks. But one line of JavaScript breaks that: new WebAssembly.Memory({shared:true}).buffer returns a real SharedArrayBuffer on any page, with no special headers required. Paired with an Atomics.add counter in a worker, this gives an incrementing timer at ~100,000 Hz — distinguishing ~6 µs intervals, 17× finer than the timer Chrome intends third parties to have.

Anti-bots use this fine-grained timer to detect micro-timing differences in canvas render, JS execution jitter, and animation-frame variance — patterns that differ between humans and bots at sub-millisecond scale. Reported to Chrome as crbug 40057687, marked Won't Fix. Source: Manuel, brokenbrowser.com.

The hyphenation-dictionary probe

The third WASM trick used in production isn't a CPU probe at all — it's a check of which hyphenation dictionaries the browser ships. WebKit, Gecko, and Blink each bundle different hyphenation dictionaries for the Intl API. A WASM probe loads a known phrase and inspects how the browser breaks it across lines. The result reveals which rendering engine is underneath, even when the User-Agent claims otherwise.

This catches a specific class of scraper: Camoufox claiming to be Chrome. Camoufox is Firefox under the hood, so its Intl hyphenation matches Gecko. A request with a Chrome User-Agent but Gecko hyphenation is unambiguously a Firefox-based stealth tool. Akamai's sensor.js and DataDome's WASM challenge both include this check.

The defence is the same as for the other WASM probes — patch the engine below the JS layer, or use a tool whose hyphenation matches its claimed UA. There is no JS-level workaround.

What this means for stealth scraping

The decade-long arms race of better JavaScript patches has hit a ceiling. The next wave of anti-bot innovation runs below the JS layer, and the next wave of bypass innovation runs below the cloud-browser layer. For 2026, accept that your stealth browser leaks WASM signals on top-tier targets (DataDome's per-site ML, Akamai sensor.js, F5 Shape) and plan accordingly:

For those targets, find the mobile API first, then fall back to a managed API.
For everything else, stealth browsers are still effective — WASM probing is expensive to deploy and is concentrated on highest-value targets.
For long-term strategy, the winners will operate real consumer hardware on real ISP networks — distributed-browser networks rather than cloud-hosted stealth Chromium.

Code example

javascript

// What an anti-bot ships in a WASM module to time-fingerprint the CPU.
// Stealth browsers cannot patch this because the work happens natively.

const sab = new WebAssembly.Memory({ shared: true }).buffer;
const view = new Int32Array(sab);

// Spin a worker that increments view[0] as fast as possible
new Worker(URL.createObjectURL(new Blob([`
  const view = new Int32Array(self.sab);
  while (true) Atomics.add(view, 0, 1);
`])));

// Read it ~100,000 times per second — a 17× higher-resolution timer
// than performance.now() on non-isolated pages.
const before = Atomics.load(view, 0);
// ... do a SIMD op ...
const elapsed = Atomics.load(view, 0) - before;

Related terms

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…

What Is Browser Fingerprinting?

Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…

What Is Camoufox?

Camoufox is a stealth-focused fork of Firefox with anti-fingerprinting patches applied at the C++ build level. Unlike playwright-stealth, wh…

What Is DataDome?

DataDome is a bot-protection vendor used on roughly 1,200 enterprise sites, scoring more than 5 trillion signals per day. Unlike Cloudflare …

What Is Function.toString() Inspection?

Function.prototype.toString() inspection is the technique anti-bot scripts use to detect runtime JavaScript patches. Every JS function expos…

Anti-Bot Vendor Detection Cheatsheet

The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…

Concept map

How WASM Fingerprinting connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

Can I patch WASM SIMD timing?

Not from the browser layer. WASM SIMD runs natively against your CPU — patching it would require intercepting at the OS or hypervisor level, which breaks the browser. The only workable mitigation is hardware diversity: real machines produce different SIMD fingerprints naturally.

Do all anti-bots use WASM fingerprinting?

Not yet universally. DataDome is the documented adopter as of May 2026. Cloudflare, Akamai, and PerimeterX are believed to be experimenting. Adoption is concentrated on highest-value targets first because the WASM probe adds payload size and execution time.

Will Chrome ever fix the SharedArrayBuffer timer?

The Chrome team marked it Won't Fix in crbug 40057687. The trade-off is between blocking timing attacks (which would break legitimate use cases) and the privacy implications of finer timing. The leak is now considered a permanent feature of the platform.

Does Camoufox handle this?

Camoufox patches Firefox's JS-visible APIs at the C++ level. It does not modify the WebAssembly execution layer or SIMD timing output. Same for CloakBrowser, PatchRight, and every other stealth tool documented in 2026. This is a layer none of them touch yet.

Why are WASM-based probes so much harder to spoof than JS-based ones?

WASM runs as bytecode the page brought with it, not as JS the page exposes. There are no methods to overload, no prototypes to patch, no toString() to spoof. The probe reads the result of running real CPU instructions — the only way to fake the result is to compromise the engine itself.

Last updated: 2026-05-27