Web browser extensions could be used as a means of identifying users and tracking them across the web, new research suggests.
Online tracking has been the bane of the internet from the earliest days, but over the last few years people have become increasingly unwilling to put up with invasions of privacy. While some people claim tracking is necessary to provide personalized ads, and thus keep internet services free, others shiver at the thought of companies keeping tabs on what they do online.
Ever since Google announced it would be killing third-party cookies, stakeholders have been looking for viable alternatives. “Fingerprinting” people based on the various characteristics of the device they use emerged as one of the options. Those characteristics include factors like display resolution, fonts, GPU performance, installed apps and more.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Scanning for extensions
Now, another unique feature can be added to the mix, and that’s the extensions people have installed on their browsers.
As per a BleepingComputer report, a web developer going by the alias ‘z0ccc’ built a fingerprinting site called “Extension Fingerprints” that does just that: fingerprints people based on their Google Chrome extensions.
Some extensions require the use of a secret token to access a web resource as a contingency measure, the researcher says, but there are still methods to learn if an extension is installed on the endpoint or not.
"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed," z0ccc wrote.
The website scans the visitor’s browser for the existence of 1,170 most popular extensions available in the Google Chrome Web Store. While the method works on Edge (albeit with a few tweaks), it doesn’t work on Firefox users.
"This is definitely a viable option for fingerprinting users," z0ccc told BleepingComputer. "Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc.) users could be very easily identified."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.