Web browser extensions could be used as a means of identifying users and tracking them across the web, new research suggests.
Online tracking has been the bane of the internet from the earliest days, but over the last few years people have become increasingly unwilling to put up with invasions of privacy (opens in new tab). While some people claim tracking is necessary to provide personalized ads, and thus keep internet services free, others shiver at the thought of companies keeping tabs on what they do online.
Ever since Google announced it would be killing third-party cookies, stakeholders have been looking for viable alternatives. “Fingerprinting” people based on the various characteristics of the device they use emerged as one of the options. Those characteristics include factors like display resolution, fonts, GPU performance, installed apps and more.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Scanning for extensions
Now, another unique feature can be added to the mix, and that’s the extensions people have installed on their browsers.
As per a BleepingComputer report, a web developer going by the alias ‘z0ccc’ built a fingerprinting site called “Extension Fingerprints” that does just that: fingerprints people based on their Google Chrome extensions.
Some extensions require the use of a secret token to access a web resource (opens in new tab) as a contingency measure, the researcher says, but there are still methods to learn if an extension is installed on the endpoint or not.
> Google is charging ahead with its plan to replace cookies (opens in new tab)
> Here's how to avoid unwanted tracking online (opens in new tab)
> Over half of Americans now worry cybercriminals are tracking them online (opens in new tab)
"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed," z0ccc wrote.
The website scans the visitor’s browser for the existence of 1,170 most popular extensions available in the Google Chrome Web Store. While the method works on Edge (albeit with a few tweaks), it doesn’t work on Firefox users.
"This is definitely a viable option for fingerprinting users," z0ccc told BleepingComputer. "Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc.) users could be very easily identified."
Via BleepingComputer (opens in new tab)