Web browser extensions could be used as a way to identify users and track them across the web, according to new research.
Online tracking has been the bane of the Internet since the earliest days, but in recent years people have become increasingly reluctant to put up with privacy violations (opens in a new tab). While some people argue that tracking is necessary to deliver personalized ads to keep internet services free, others cringe at the idea of companies monitoring what they're doing online.
Ever since Google announced that it would remove third-party cookies, stakeholders have been looking for viable alternatives. Fingerprinting people based on the various features of the device they use emerged as one of the options. These features include factors like screen resolution, fonts, GPU performance, installed apps, etc.
Now another unique feature can be added to the mix, and these are the extensions that people have installed on their browsers.
According to a report from BleepingComputer, a web developer known as "z0ccc" has created a fingerprinting site called "Extension Fingerprints" that does exactly that: fingerprint people based on their Google Chrome extensions.
Some extensions require the use of a secret token to access a web resource (opens in a new tab) as an emergency measure, explains the researcher, but there are still methods to know if an extension is installed or not in the terminal.
“Resources from protected extensions will take longer to retrieve than resources from extensions that are not installed. By comparing time differences, you can accurately determine whether protected extensions are installed," z0ccc wrote.
The website scans the visitor's browser to find the existence of the 1170 most popular extensions available in the Google Chrome Web Store. Although the method works on Edge (albeit with some tweaking), it does not work on Firefox users.
"It's definitely a viable option for fingerprint users," z0ccc told BleepingComputer. “Especially using the 'retrieval of accessible web resources' method. If this is combined with other user data (such as user agents, time zones, etc.), users could be very easily identified.”
Via BleepingComputer (Opens in a new tab)