Your installed browser extension may be used to fingerprint you

silversurfer

Level 85
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,681
" Extensions installed in web browsers may be used for tracking purposes. Some extensions use resources that are accessible by sites that are loaded in the browser; the information may be used to determine if extensions are installed, and even which extensions. "
extension-fingerprints.png
Fingerprinting describes a series of tracking techniques that Internet sites and apps may use to track users. The techniques use information, either provided automatically by the browser or the operating system, or manually, through the use of scripts. Unique fingerprints are the goal, as they allow sites to distinguish between visitors accurately. Most of the time, fingerprinting is used in combination with other tracking methods.

Browser extensions may use web accessible resources; not all do, but thousands use these resources. These resources, for instance images, may be accessed by websites that are loaded in the browser. The developer of the extension needs to declare web accessible resources explicitly in the manifest.

Extension Fingerprints is an open source script that checks whether these extensions are installed in the user's browser. The developer added scans for over 1000 extensions to the script, which are the most popular ones from a user installation point of view. Popular browser extensions such as Google Translate, Honey, Avast Online Security & Privacy, Malwarebytes Browser Guard, LastPass, Cisco Webex Extension, DuckDuckGo Privacy Essentials, or Amazon Assistant for Chrome use web accessible resources.

The list can be extended to add extensions with less than 70,000 users to the mix, which would improve detections and fingerprinting.

Point your web browser to this page to run the browser fingerprinting test. The script that runs on the page checks for the existence of web accessible resources and uses the information to return how unique the fingerprint is.

The browser's fingerprint is shared with the majority of users if none of the extensions that the script scans for is installed.
 

rain2reign

Level 8
Verified
Well-known
Jun 21, 2020
376
For Firefox browser users. The closest you will most likely get is to go to the add-ons website and look up the permissions window of the extensions. For example, uBlock Origin shows me this:
1655642397485.png

This is, because in Firefox all installed add-ons are given a different unique ID which each browser install and profile(s) too.
 

Imranmt

Level 2
Verified
Nov 14, 2016
83
A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint of your device that can be used to track you online.

To track users on the web, it is possible to create fingerprints, or tracking hashes, based on various characteristics of a device connecting to a website. These characteristics include GPU performance, installed Windows applications, a device's screen resolution, hardware configuration, and even the installed fonts.

It is then possible to track a device across sites using the same fingerprinting method.

Fingerprint from installed Chrome extensions​

Yesterday, web developer 'z0ccc' shared a new fingerprinting site called 'Extension Fingerprints' that can generate a tracking hash based on a browser's installed Google Chrome extensions.

When creating a Chrome browser extension, it is possible to declare certain assets as 'web accessible resources' that web pages or other extensions can access.

These resources are typically image files, which are declared using the 'web_accessible_resources' property in a browser extension's manifest file.

An example declaration of web-accessible resources is shown below:
extension-fingerprints.jpg


As previously disclosed in 2019, it is possible to use web-accessible resources to check for installed extensions and generate a fingerprint of a visitor's browser based on the combination of found extensions.

To prevent detection, z0ccc says that some extensions use a secret token that is required to access a web resource. However, the researcher discovered a 'Resource timing comparison' method that can still be be used to detect if the extension is installed.

"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed," explained z0ccc on the project's GitHub page.

To illustrate this fingerprinting method, z0ccc created an Extension Fingerprints website that will check a visitor's browser for the existence of web-accessible resources in 1,170 popular extensions available on the Google Chrome Web Store.

Some of the extensions that the website will identify are uBlock, LastPass, Adobe Acrobat, Honey, Grammarly, Rakuten, and ColorZilla.

Based on the combination of installed extensions, the website will generate a tracking hash that can be used to track that particular browser, as shown below.

Some popular extensions, such as MetaMask, do not expose any resources, but z0ccc could still identify if they are installed by checking if "typeof window.ethereum equals undefined."

While those with no extensions installed will have the same fingerprint and be less useful for tracking, those with many extensions will have a less common fingerprint that can be used to track them around the web.

However, adding other characteristics to the fingerprinting model can further refine the fingerprint, making the hashes unique per user.

"This is definitely a viable option for fingerprinting users," z0ccc explained in an email to BleepingComputer.

"Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc) users could be very easily identified."
with no extensions

The Extensions Fingerprints site only works with Chromium browsers installing extensions from the Chrome Web Store. While this method will work with Microsoft Edge, it would need to be modified to use extension IDs from Microsoft's extension store.

This method does not work with Mozilla Firefox add-ons as Firefox extension IDs are unique for every browser instance.

uBlock is the most commonly installed​

While z0ccc is not collecting any data regarding installed extensions, his own tests showed that uBlock installed is the most common extension fingerprint.

"By far the most popular is having no extensions installed. As previously said I do not collect specific extension data but in my own testing it seems that having only ublock installed is a common extension fingerprint," shared z0ccc.

"Having 3+ detectable extensions installed seems to always make your fingerprint very unique."

Below are the percentages of users with various popular extensions installed from tests conducted by BleepingComputer.

  • 58.248% - No extensions installed or enabled.
  • 2.065% - Only Google Docs Offline, which is the only extension installed by default.
  • 0.528% - uBlock Origin + Google Docs Offline
  • 0.238% - AdBlock + Google Docs Offline
  • 0.141% - Adobe Acrobat + Google Docs Offline
  • 0.122% - Google Translate + Google Docs Offline
  • 0.019% - Malwarebytes Browser Guard
  • 0.058% - Grammarly + Google Docs Offline
  • 0.058% - LastPass + Google Docs Offline
  • 0.051% - Honey + Google Docs Offline
  • 0.013% - ColorZilla + Google Docs Offline
In our tests, installing three to four extensions brought the percentage of users using the same extension to as low as 0.006%. Obviously, the more installed extensions, the fewer people will have the same combination installed.

z0ccc says the 0.006% percentage indicates that you are the only user with that combination of extensions, but this will change as more people visit the site.

Extension Fingerprints has been released as an open-source React project on GitHub, allowing anyone to see how to query for the presence of installed extensions.
Source
 
Last edited by a moderator: