Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Privacy

Google Chrome exposes user extensions to fingerprinting

Kyle by Kyle
July 1, 2022
in Privacy
0
Google Chrome Extension fingerprinting source
12
SHARES
329
VIEWS
Share on FacebookShare on Twitter

Security researcher, z0ccc, has released a new tool that proves that Google Chrome extensions can be fingerprinted which allows tracking of its users online.

You might also like

GIFs in messaging apps are tracking you

Chrome Browser Extension Vytal Prevents Privacy Leaks

Are Bluetooth signals being used to track smartphones?

Tracking users online is typically done via fingerprints that generate unique hashes for each user. These hashes are generated by combining installed Windows applications, the device’s screen resolution, GPU performance, hardware config, and installed fonts.

With these characteristics, sites will track your device across social media and various websites. Google knows who you are, your social media profiles and what sites you browse allowing them to tailor advertisements to what you interact with and habits.

Chrome exposing extensions to fingerprinting

z0ccc has released a site called ‘Extension Fingerprints’ along with the new tool which can generate an almost unique fingerprint based on your installed Google Chrome extensions. The full source of this tool is located on z0ccc’s GitHub page.

Chrome extension developers have the ability to declare specific assets within Chrome extensions as ‘web-accessible resources‘. This allows outside web pages or other extensions to access the plugin/extension itself.

These resources are normally an image file that is declared by utilizing the ‘web_accessible_resources‘ property that is located in an extension’s manifest file.

Here’s an example of a web-accessible resource:

"web_accessible_resources": [
    {
      "resources": [ "logo.png" ],
      "matches": [ "https://zerosecurity.org/*" ]
    }
],

Originally disclosed in 2019 by Authentic8, it is possible to capture these web-accessible sources to find installed extensions and generate fingerprints of various browsers based on the combined uniqueness of browser extensions.

It is possible for extension authors to hide these web-accessible resources by using a secret token to be required to access the web resource. However, z0ccc has released a method to bypass the secret token, called a ‘resource timing comparison’.

“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed,” explained z0ccc on the project’s GitHub page.

As a proof of concept, z0ccc released a Chrome Extension fingerprint site that will provide you with your installed Chrome extensions and how unique the combination is. The site/tool checks for 1,170 of the most popular extensions available on the Google Chrome Web Store.

A number of extensions that the site will discover include Honey, LastPass, uBlock, Adobe Acrobat, ColorZilla, Grammarly, and Rakuten.

The website will then generate a tracking hash based on the installed extensions which can be used to track that specific web browser, as shown in the image below.

Z0ccc Chrome Extension Fingerprinting
Fingerprint generation, source: Zerosecurity

Some popular extensions such as MetaMask does not expose any extension resources, but z0ccc claims to still have identified the extension by checking if ‘typeof window.ethereum equals undefined.’ This method does not work with the Brave browser though.

Chrome browsers that contain no extensions will be less easy to fingerprint as they share the same fingerprint as all other Chrome browsers without extensions.

The Extension Fingerprinting site will only work with Chromium-based browsers with extensions installed from the Chrome Store. Even though this method can be used with Microsoft Edge, it will need to be altered to implement extension IDs from Microsoft’s store.

This strategy will not work with Mozilla Firefox add-ons as Firefox extension IDs are unique for each browser it’s installed on.

The most commonly installed extension

z0ccc is not collecting any data with his new project, but after doing his own tests, he has discovered that uBlock is the most commonly installed extension.

“By far the most popular is having no extensions installed. As previously said I do not collect specific extension data but in my own testing it seems that having only ublock installed is a common extension fingerprint,” z0ccc explained.

“Having 3+ detectable extensions installed seems to always make your fingerprint very unique.”

z0ccc stated that a 0.006% percentage indicates that you are the only user with that specific combination of extensions, but this may change as the site gets more hits.

The source of the new tool, Extension Fingerprints, has been released on GitHub using React which now allows anyone to start tracking users based on installed Chrome extensions.

bleepingcomputer.com/news/security/google-chrome-extensions-can-be-fingerprinted-to-track-you-online/

z0ccc.github.io/extension-fingerprints/

Tags: Browser FingerprintingGoogle Chrome
Share9Tweet5
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

GIFs in messaging apps are tracking you

by Christi Rogalski
July 19, 2022
0
GIFs in messaging apps are tracking you

Today, the dynamic moving image, GIF sent to a friend or colleague, perfectly expresses our emotions and lightens the mood of the receiver(s). However, several concerns have been...

Read more

Chrome Browser Extension Vytal Prevents Privacy Leaks

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Vytal Chrome Extension spoofs location data

Released in 2008, Google Chrome is a cross-platform web browser. With over 3.2 billion internet users worldwide, there's no denying that Chrome is the most popular browser today....

Read more

Are Bluetooth signals being used to track smartphones?

by Christi Rogalski
June 17, 2022
0
Bluetooth research leads to tracking

Can Bluetooth signals be used to track smartphones? Many people would say "No" to this question. However, a team of engineers at the University of California San Diego...

Read more

How Apple Stopped $1.5 billion Worth of Fraudulent Transactions in 2021

by Christi Rogalski
June 8, 2022
0
Apple app store security fraud

Apple has recently released statistics on the number of fraudulent and untrustworthy transactions that have passed through the Apple App Store in 2021. In combination, they have stopped...

Read more

Tails OS Developers Warn Users to not use their Operating System

by Kyle
May 28, 2022
0
Tails OS 5.0 zero-day

The developers of the popular Tails OS (operating system) are warning its users to cease use of their tool due to privacy concerns after the discovery of a...

Read more
Next Post
Shanghai China police database hack

Shanghai National Police database hacked - 1 billion Chinese citizens leaked

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.