Google Chrome Extensions Could Be Used to Track Users Online

Security

Web developer ‘z0ccc’ has created a website designed to generate a fingerprint of devices based on Google Chrome extensions installed on the visiting browser. 

In an exclusive email interview with Bleeping Computer, z0ccc said while the website does not store the fingerprint of visiting devices, the testing shows that information could be potentially used by malicious actors to track users.

From a technical standpoint, this fingerprinting action is possible due to a feature of Chrome browser extensions that allows developers to declare certain assets as ‘web accessible resources’ for web pages and other extensions.

Web-accessible resources can consequently be used to check for installed extensions and generate a fingerprint of a visiting user based on the combination of installed extensions.

“Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web accessible,” z0ccc wrote on a Github page dedicated to the project.

According to the web developer, some extensions use a secret token that prevents detection, but a ‘Resource timing comparison’ method exists that can still be used to detect if the extension is installed.

“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0ccc wrote.

“By comparing the timing differences you can accurately determine if the protected extensions are installed.”

The researcher also explained that this method does not work on Firefox as the browser extension IDs are unique for every browser instance.

The technique, on the other hand, should work on Microsoft Edge extensions, z0ccc said, but not using its tool, which only detects extensions from the Chrome Web Store.  

Z0ccc added that while the information collected using this method may not always be able to fingerprint users at a granular level, when combined with operating data points such as OS, active plugins, time zone and language, tracking users becomes exponentially easier and more accurate.

Products You May Like

Articles You May Like

Modernization of Authentication: Webinar on MFA, Passwords, and the Shift to Passwordless
Ten Million Brits Hit By Fraud in Just Three Years
INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa
The complexities of attack attribution – Week in security with Tony Anscombe
Why system resilience should mainly be the job of the OS, not just third-party applications

Leave a Reply

Your email address will not be published. Required fields are marked *