A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint (or tracking hash) of your device that can be used to track you digitally.
Digital fingerprints can be used based on various characteristics of a device connecting to a website, including GPU performance, installed Windows applications, hardware configuration, a device’s screen resolution, and installed fonts. It is then possible to track a device across websites using the same method.
Over the weekend, web developer ‘z0ccc’ shared a new fingerprinting site called ‘Extension Fingerprints’ that generates a tracking hash based on a browser’s installed Google Chrome extensions.
It is possible to declare certain assets as ‘web accessible resources’ that other extensions or web pages can access, when creating a Chrome browser extension.
These resources are typically image files, which are declared using the ‘web_accessible_resources’ property in a browser extension’s manifest file.
Disclosed in 2019, it is possible to use web-accessible resources to check for installed extensions and then generate a fingerprint of a visitor’s browser based on the combination of extensions found.
Z0ccc says, in order to prevent detection, that some extensions use a secret token that is required to access a web resource. The researcher has discovered a ‘Resource timing comparison’ method that can be used to detect if the extension is installed.
Z0ccc explained on the project’s GitHub page that, “resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed.”
To illustrate the method, z0ccc created an Extension Fingerprints website that will check a visitor’s browser for the existence of web-accessible resources in over 1000 popular extensions available on the Google Chrome Web Store. Some of the extensions identified by the site include uBlock, LastPass and Rakuten.
Based on the combination of installed extensions, the website will generate a hacking hash that can be used to track that particular browser.
Adding other characteristics to the fingerprinting model can further refine the fingerprint, making the hashes unique per user.
The Extensions Fingerprints site only works with Chromium browsers installing extensions from the Chrome Web Store. This method will work with Microsoft Edge, however it would need to be modified to use extension IDs from Microsoft’s extension store.
The method does not work with Mozilla Firefox add-ons as Firefox extension IDs are unique for ever browser instance.
Z0ccc’s tests showed that uBlock is the most common extension fingerprint installed.
Z0ccc said, “by far the most popular is having no extensions installed. As previously said I do not collect specific extension data but in my own testing it seems that having only uBlock installed is a common extension fingerprint.”
“Having 3+ detectable extensions installed seems to always make your fingerprint very unique.”
Extension Fingerprints has been released as an open-source React project on GitHub, allowing anyone to see how to query for the presence of installed extensions.
