New research suggests that web browser extensions can be used as a means to identify users and track them across the web.
Online tracking has been the bane of the Internet since its early days, but over the years people have become reluctant to tolerate privacy abuses. (opens in new tab), While some people claim that tracking is necessary to provide personalized advertising, and thus keep Internet services free, others shudder at the thought of companies doing what they do online.
Ever since Google announced it would kill third-party cookies, stakeholders have been looking for viable alternatives. “Fingerprinting” emerged as one of the choices people make depending on the various features of the device they were using. Those features include factors like display resolution, fonts, GPU performance, installed apps, and more.
scanning for extensions
Now, another unique feature can be added to the mix, and that is the extensions people have installed on their browsers.
according to a bleeding computer Reports, a web developer going by the nickname ‘z0ccc’ created a fingerprinting site called “Extension Fingerprints” that does just that: fingerprints people based on their Google Chrome extension.
Some extensions require the use of a secret token to access a web resource (opens in new tab) As a contingency measure, the researchers say, but there are still ways to learn whether an extension is installed on the endpoint.
Z0ccc wrote, “The resources for protected extensions will take longer to fetch than resources for extensions not installed. You can accurately determine whether protected extensions are installed or not by comparing the time difference.”
The website scans the visitor’s browser for the existence of 1,170 most popular extensions available in the Google Chrome Web Store. While the method works on Edge (albeit with a few tweaks), it doesn’t work on Firefox users.
“It is definitely a viable option for fingerprinting users,” reported z0ccc bleeding computer, “Specifically using the ‘fetch web accessible resources’ method. Users can be identified very easily if this is combined with other user data (eg user agent, timezone, etc.).”
Through Bleeping Computer (opens in new tab)