Web browser extensions can be used as a means of identifying users and tracking them across the web, new research suggests.
Online tracking has been the bane of the internet since its early days, but in recent years people have become increasingly reluctant to tolerate invasions of privacy. (opens in new tab). While some people claim that tracking is necessary to deliver personalized ads and thus keep internet services free, others shudder to think that companies retain control over what they do online.
Ever since Google announced that it would eliminate third-party cookies, interested parties have been looking for viable alternatives. The “fingerprint” of people based on the various characteristics of the device they use emerged as one of the options. These characteristics include factors such as screen resolution, fonts, GPU performance, installed apps, and more.
Now, another unique feature can be added to the mix, and that is the extensions that people have installed in their browsers.
according to a BleepingComputer In the report, a web developer using the alias ‘z0ccc’ has built a fingerprint website called “Extension Fingerprints” that does just that: fingerprints of people based on their Google Chrome extensions.
Some extensions require the use of a secret token to access a web resource (opens in new tab) as a contingency measure, says the researcher, but there are still methods to know if an extension is installed on the endpoint or not.
“Features of protected extensions will take longer to fetch than features of extensions that are not installed. By comparing time differences, you can accurately determine whether protected extensions are installed,” z0ccc wrote.
The site checks the visitor’s browser for 1,170 most popular extensions available on the Google Chrome Web Store. While the method works in Edge (albeit with a few tweaks), it doesn’t work for Firefox users.
“This is definitely a viable option for fingerprint users,” said z0ccc BleepingComputer. “Especially using the ‘fetching web-accessible resources’ method. If this is combined with other user data (like user agents, time zones, etc.), users can be easily identified.”