A researcher has found a way to generate a fingerprint of your device from your installed Google Chrome extensions, and then use that fingerprint to track you online.
Fingerprinting is a way of figuring out what makes your device unique and then using that to identify you as you move around the internet. Websites you visit receive a huge amount of information when you land on their portal—it’s a lot more than “just” which web browser you use to load up someone’s site.
What extensions do you have? How does your screen resolution compare with others? If you use a specific, unusual resolution, do you run other extensions alongside it? Do other people? Which versions of those extensions are on board? Is your IP address plain and exposed, or hidden behind a VPN?
How do sites fingerprint my device?
You can see a typical voluntary form of fingerprinting testing here. The site checks for a variety of information related to your device (including the below), and then places a cookie on your PC for four months:
- the User agent header
- the Accept header
- the Connection header
- the Encoding header
- the Language header
- the Upgrade Insecure Requests header
- the Referer header
- the Cache-Control header
- the BuildId of the browser
- the list of plugins
- the platform
- the cookies preferences (allowed or not)
- the Do Not Track preferences (yes, no or not communicated)
- the timezone
- the screen resolution and its color depth
What you often see in tests like this is a high degree of similarity between users for things like content encoding, preference for secure HTTPs requests, supported video formats, and so on.
The numbers start to flatten out for aspects of your PC like plugins, adblocker use, media devices plugged in, and lists of fonts. As you can see, it’s not just that fingerprinting can tell you what browser you use or your screen resolution at a very basic level, it’s all of the additional components too.
There’s lots of ways fingerprinting can provide a very in-depth profile of a device.
You may use one type of browser like 50% of the other people who had their system fingerprinted. However, only 5% may use a specific version of that browser. Of that 5%, only 2% have a certain extension installed. From there, only 0.3% may use a specific version of this extension. And so it goes on…
Even switching your browsers around may not help much, which leads to people coming up with all sorts of workarounds.
Running the gauntlet of web accessible resources
The site determines installed extensions thanks to something called “web accessible resources”. As the researcher explains:
Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web accessible.
By default no resources are web accessible; only pages or scripts loaded from an extension’s origin can access that extension’s resources. Extension authors can use the web_accessible_resources manifest property to declare which resources are exposed and to what origins.A webpage can successfully fetch an installed extensions web accessible resource. If the fetch fails it usually means that the extension is not installed.
Visiting the checker site returns a list of potential Chrome extensions, and each entry has a True/False detection flag. In my case, it correctly reported the installed extensions on the test system and informed me what % of users share those extensions.
The project creator explains that the detection does not work for Firefox as “Firefox extension IDs are unique for every browser instance”. They go on to say that the site “only detects extensions from the Chrome web store. Extensions for [Microsoft Edge] can be detected using the same methods but are not supported by this tool”.
Tackling evasive behaviour
Some extensions have ways of not showing up in this kind of fingerprinting test. Are some of the extensions on your device trying to hide? Thanks to something called “Resource timing comparison”, it may not even matter.
In an effort to prevent detection some extensions will generate a secret token thats required to access their web accessible resources. Any fetch operation made without the secret token will result in failure. Although its much more difficult to detect these protected extensions, it’s still possible.
Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed.
There’s numerous suggestions for this, but not all of them may be practical for you in your day to day dealings. Suggestions from the Electronic Frontier Foundation include:
- Using a “non-rare” browser, with the caveat that aspects such as fonts and plugins can easily make you identifiable.
- Making use of the private browsing modes included in most web browsers.
You could also use browsers with dedicated anti-fingerprinting technology running in the background. Whatever you decide, this is by no means an easy problem to address for most people.