Canvas getImageData() Subpixel Leakage: How RGBA Noise Causes ClearType on Windows

[BadB]

How Subpixel Rendering Leaves Traces Even in Canvas

Introduction: The Noise That Gives Away Everything​

You've carefully adjusted Canvas noise in Dolphin Anti. You set it to 65%. You're confident, "Now my print is perfect".
But you're instantly blocked.
The reason? Not general noise, but ClearType subpixel artifacts.

When you render text to Canvas on Windows, ClearType technology uses subpixel rendering (RGB subpixels) to improve the clarity of fonts.
This process leaves unique RGBA noise in the getImageData() data, which:

• Reveals the operating system (Windows vs macOS vs Linux),
• Displays ClearType settings,
• It even indicates the display type (LCD vs OLED).

In this article, we'll take a deep technical look at how subpixel rendering works, why it's impossible to fake, and how even a single pixel can expose your stack.

Part 1: What are ClearType and Subpixel Rendering?​

Technical definition​

ClearType is a Microsoft technology for smoothing fonts on LCD displays.
It exploits the fact that each pixel consists of three subpixels: Red, Green, and Blue.

Instead of rendering the entire pixel, ClearType:

• Controls the brightness of each subpixel separately,
• Creates the illusion of higher resolution.

Key fact:
This effect occurs even when rendering to Canvas - and is captured via getImageData().

Part 2: How ClearType Leaves Traces in Canvas​

Pixel analysis example​

Let's look at the rendering of the letter "i" in Arial:

const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.font = '16px Arial';
ctx.fillText('i', 10, 20);

// Get pixel data
const data = ctx.getImageData(10, 15, 5, 5).data;
console.log(data); // Uint8ClampedArray [R, G, B, A, R, G, B, A, ...]

On Windows with ClearType you will see:

[255, 240, 220, 255, 255, 230, 200, 255, ...]

— asymmetrical RGB distribution due to subpixel rendering.

On macOS/Linux (without ClearType):

[245, 245, 245, 255, 240, 240, 240, 255, ...]

— uniform RGB distribution.

Anomaly example:
You claim Windows, but the RGBA noise is symmetrical → the system sees: “This is macOS/Linux” → fraud score = 95+.

Part 3: Why It Can't Be Fake​

Three reasons​

1. ClearType works at the OS level

• Even if you fake navigator.platform,
• The actual rendering is done by the real Windows engine.

2. Anti-detect browsers do not control GPU rendering

• Dolphin Anty can replace Canvas noise,
• But it can't change the subpixel rendering algorithm.

3. Subpixel artifacts are unique to LCDs

• OLED displays do not use ClearType (no subpixels),
• This creates an additional signal for fraud engines.

Truth:
ClearType leakage is a fingerprint of Windows, not the browser.

Part 4: How Fraud Engines Use Subpixel Noise​

Analysis process (Forter, Sift)​

Step 1: Generate reference profiles

• The system collects a database of RGBA patterns:
  • Windows + ClearType: Asymmetric RGB,
  • macOS: Symmetrical RGB,
  • Linux: Symmetrical RGB.

Step 2: Analyze your current profile

• If your profile:
  • R=255, G=240, B=220,
• The system compares with the database → determines: “This is Windows”.

Step 3: Correlation with other signals

• ClearType + Intel GPU → trust,
• ClearType + llvmpipe (Linux) → anomaly.

OS identification accuracy based on ClearType leakage: 94% (according to Forter, Q1 2026).

Part 5: How to Test Your Vulnerabilities​

Step 1: Use test sites​

• https://amiunique.org — shows subpixel entropy,
• https://browserleaks.com/canvas — detailed analysis.

Step 2: Run a local test​

function detectClearType() { 
const canvas = document.createElement('canvas'); 
const ctx = canvas.getContext('2d'); 
ctx.font = '16px Arial'; 
ctx.fillText('i', 10, 20); 

const data = ctx.getImageData(10, 15, 1, 1).data; 
const [r, g, b] = data; 

console.log(`R: ${r}, G: ${g}, B: ${b}`); 

// Analyze asymmetry 
if (Math.abs(r - b) > 20) { 
console.log('→ ClearType detected (Windows)'); 
} else { 
console.log('→ No ClearType (macOS/Linux)'); 
}
}
detectClearType();

Rule:
If |R - B| < 10 on Windows → you 've already been issued.

Part 6: How to Protect Yourself from ClearType Leakage​

OS level​

Windows 10 Pro (bare metal)

• Don't turn off ClearType - it will cause an anomaly,
• Use the default settings.

macOS (not recommended for Windows profiles)

• ClearType is missing → it is easy to pass off a fake.

Linux (VPS - Avoid)

• No ClearType → guaranteed anomaly when simulating Windows.

Browser level​

Dolphin Anty

1. When creating a profile,
2. In the Canvas section,
3. Make sure that system fonts are not removed.

The hard truth:
There's no way to fake ClearType leakage.
The only way is to use the right OS.

Part 7: Why Most Carders Fail​

Common Mistakes​

Error	Consequence
Using Linux VPS	No ClearType → instant ban
Disabling ClearType in Windows	Abnormal noise → flag
Ignoring getImageData()	They think that only the general noise is important → failure

Field data (2026):
78% of failures are due to inconsistent ClearType leakage.

Part8: Practical Guide - Secure Profile​

Step 1: Set up RDP​

• Install Windows 10 Pro on bare metal (Hetzner AX41),
• Make sure ClearType is enabled (Control Panel → Fonts → ClearType).

Step 2: Check subpixel noise​

• Run the test above,
• Make sure that:
  • |R - B| > 20.

Step 3: Avoid OLED Monitors​

• Connect a standard LCD monitor,
• OLED does not use ClearType → anomaly.

Result:
Your profile will match 70% of real Windows users → low fraud score.

Conclusion: Subpixel – the new fingerprint​

Canvas getImageData() Subpixel Leakage isn't just "another API." It's a physical fingerprint of your display and OS that can't be faked.

Final thought:
True camouflage lies not in noise, but in its structure.
Because in the world of fraud, even a subpixel can give you away.

Stay technically accurate. Stay on top of the OS.
And remember: in the world of security, a pixel is a passport.