Google Chrome Extensions Could Be Used to Track Users Online

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Web developer ‘z0ccc’ has created a website designed to generate a fingerprint of devices based on Google Chrome extensions installed on the visiting browser. 

In an exclusive email interview with Bleeping Computer, z0ccc said while the website does not store the fingerprint of visiting devices, the testing shows that information could be potentially used by malicious actors to track users.

From a technical standpoint, this fingerprinting action is possible due to a feature of Chrome browser extensions that allows developers to declare certain assets as ‘web accessible resources’ for web pages and other extensions.

Web-accessible resources can consequently be used to check for installed extensions and generate a fingerprint of a visiting user based on the combination of installed extensions.

“Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web accessible,” z0ccc wrote on a Github page dedicated to the project.

According to the web developer, some extensions use a secret token that prevents detection, but a ‘Resource timing comparison’ method exists that can still be used to detect if the extension is installed.

“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0ccc wrote.

“By comparing the timing differences you can accurately determine if the protected extensions are installed.”

The researcher also explained that this method does not work on Firefox as the browser extension IDs are unique for every browser instance.

The technique, on the other hand, should work on Microsoft Edge extensions, z0ccc said, but not using its tool, which only detects extensions from the Chrome Web Store.  

Z0ccc added that while the information collected using this method may not always be able to fingerprint users at a granular level, when combined with operating data points such as OS, active plugins, time zone and language, tracking users becomes exponentially easier and more accurate.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

U.S. Treasury Hamas Spokesperson for Cyber Influence Operations
Quishing Attacks Jump Tenfold, Attachment Payloads Halve
Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw
Report Suggests 93% of Breaches Lead to Downtime and Data Loss
Russia and Ukraine Top Inaugural World Cybercrime Index

Leave a Reply

Your email address will not be published. Required fields are marked *