Web developer ‘z0ccc’ has created a website designed to generate a fingerprint of devices based on Google Chrome extensions installed on the visiting browser.
In an exclusive email interview with Bleeping Computer, z0ccc said while the website does not store the fingerprint of visiting devices, the testing shows that information could be potentially used by malicious actors to track users.
From a technical standpoint, this fingerprinting action is possible due to a feature of Google Chrome extensions that allows developers to declare certain assets as ‘web accessible resources’ for web pages and other extensions.
Web-accessible resources can consequently be used to check for installed extensions and generate a fingerprint of a visiting user based on the combination of installed extensions.
“Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web accessible,” z0ccc wrote on a Github page dedicated to the project.
According to the web developer, some extensions use a secret token that prevents detection, but a ‘Resource timing comparison’ method exists that can still be used to detect if the Google Chrome extensions is installed.
“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0ccc wrote.
“By comparing the timing differences you can accurately determine if the protected extensions are installed.”
The researcher also explained that this method does not work on Firefox as the browser extension IDs are unique for every browser instance.
The technique, on the other hand, should work on Microsoft Edge extensions, z0ccc said, but not using its tool, which only detects extensions from the Chrome Web Store.
Z0ccc added that while the information collected using this method may not always be able to fingerprint users at a granular level, when combined with operating data points such as OS, active plugins, time zone and language, tracking users becomes exponentially easier and more accurate.
Read more: https://bit.ly/3QAfCsI
You can also read this: Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild