Web browser extensions could be used as a way to identify users and track them around the web, according to new research.
Online tracking has been the bane of the internet since the early days, but in recent years people have become increasingly reluctant to put up with privacy breaches. (opens in a new tab). While some people argue that tracking is necessary to deliver personalized ads to keep internet services free, others shudder at the thought of companies keeping tabs on what they’re doing online.
Ever since Google announced it would be removing third-party cookies, stakeholders have been looking for viable alternatives. Fingerprinting people based on the various characteristics of the device they use emerged as one of the options. These characteristics include factors such as display resolution, fonts, GPU performance, installed applications, etc.
Search for extensions
Now another unique feature can be added to the mix, and these are the extensions that people have installed on their browsers.
According to a BeepComputer report, a web developer aka “z0ccc” has created a fingerprinting site called “Extension Fingerprints” that does just that: fingerprints people based on their Google Chrome extensions.
Some extensions require the use of a secret token to access a web resource (opens in a new tab) as an emergency measure, says the researcher, but there are still methods to find out whether or not an extension is installed on the terminal.
“Resources from protected extensions will take longer to fetch than resources from extensions that are not installed. By comparing the time differences, you can accurately determine whether protected extensions are installed,” z0ccc wrote.
The website scans the visitor’s browser to find the existence of the most popular 1,170 extensions available in the Google Chrome Web Store. Although the method works on Edge (albeit with some tweaks), it does not work on Firefox users.
“It’s definitely a viable option for fingerprint users,” said z0ccc BeepComputer. “Especially using the ‘retrieval of web-accessible resources’ method. If this is combined with other user data (like user agents, time zones, etc.), users could be very easily identified.”
Going through BeepComputer (opens in a new tab)