Google Chrome Extensions Can Be Fingerprinted For Online Tracking

Share post:

A researcher has built a website that utilizes installed Google Chrome extensions to generate a fingerprint of the device that can be used to track the user online.

In tracking users online, it is possible to create fingerprints, or tracking hashes, using the characteristics of a device connected to a website such as GPU performance, installed Windows applications, a device’s screen resolution, hardware configuration, and the installed fonts.

It is then possible to track a device on various sites through the same fingerprinting method.

Very recently, web developer ‘z0ccc’ shared a new fingerprinting site called ‘Extension Fingerprints’ that is able to generate a tracking hash using a browser’s installed Google Chrome extensions.

In building a Chrome browser extension, creators may be able to declare certain assets as ‘web accessible resources’ that web pages or other extensions may be able to access.

It is also possible to utilize web-accessible resources to detect installed extensions and come up with a fingerprint of a visitor’s browser based on the merger of found extensions.

To evade detection, some extensions, according to z0ccc, use a secret token that is required to access a web resource. But the researcher uncovered a ‘Resource timing comparison’ method that may still be used to monitor if the extension is installed.

“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed,” said z0ccc on the project’s GitHub page.

The extensions that the website is able to identify are uBlock, LastPass, Adobe Acrobat, Honey, Grammarly, Rakuten, and ColorZilla.

The Extensions Fingerprints site only functions via Chromium browsers installing extensions from the Chrome Web Store. While this method will likewise work with Microsoft Edge, it still has to be modified to use extension IDs from Microsoft’s extension store.

Finally, this method does not work with Mozilla Firefox add-ons as Firefox extension IDs are unique in each browser instance.

While z0ccc does not have data regarding installed extensions, his own tests illustrate that uBlock is the most ubiquitous extension fingerprint.

For more information, read the original story in Bleepingcomputer.

SUBSCRIBE NOW

Related articles

WordPress Co-Founder Warns Lawsuits Could Kill WordPress.org

WordPress co-founder Matt Mullenweg has warned that ongoing lawsuits stemming from his conflict with hosting provider WP Engine...

Linux Foundation Launches Initiative to Make Chromium Truly Open Source

The Linux Foundation has announced a new initiative to reduce Google's control over Chromium, the open-source browser engine...

San Francisco Billboards Urge Tech Companies to Support Open Source Software

Drivers in San Francisco are encountering new billboards calling out tech companies for not financially supporting the open-source...

Big data vendors rally behind Apache Iceberg

Apache Iceberg gained significant momentum last week as leading data warehousing and analytics vendors rolled out new features...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways