Web browser extensions could be used as a means of identifying users and tracking them across the web, new research suggests.
Online tracking has been the bane of the internet from the earliest days, but over the last few years people have become increasingly unwilling to put up with invasions of privacy (opens in new tab). While some people claim tracking is necessary to provide personalized ads, and thus keep internet services free, others shiver at the thought of companies keeping tabs on what they do online.
Ever since Google announced it would be killing third-party cookies, stakeholders have been looking for viable alternatives. “Fingerprinting” people based on the various characteristics of the device they use emerged as one of the options. Those characteristics include factors like display resolution, fonts, GPU performance, installed apps and more.
Scanning for extensions
Now, another unique feature can be added to the mix, and that’s the extensions people have installed on their browsers.
As per a BleepingComputer report, a web developer going by the alias ‘z0ccc’ built a fingerprinting site called “Extension Fingerprints” that does just that: fingerprints people based on their Google Chrome extensions.
Some extensions require the use of a secret token to access a web resource (opens in new tab) as a contingency measure, the researcher says, but there are still methods to learn if an extension is installed on the endpoint or not.
“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed,” z0ccc wrote.
The website scans the visitor’s browser for the existence of 1,170 most popular extensions available in the Google Chrome Web Store. While the method works on Edge (albeit with a few tweaks), it doesn’t work on Firefox users.
“This is definitely a viable option for fingerprinting users,” z0ccc told BleepingComputer. “Especially using the ‘fetching web accessible resources’ method. If this is combined with other user data (like user agents, timezones etc.) users could be very easily identified.”