A web developer going by the alias ‘z0ccc’ has created a website that can generate a unique online tracking fingerprint based on Chrome extensions installed on the visiting browser.
The methodology is primarily based on securing the extensions’ web-accessible resources, a type of file within the extension’s infrastructure that web pages can access. The file can consequently be employed to detect installed extensions and create a fingerprint of a visiting user based on the combination of installed extensions.
The procedure was previously demonstrated in 2019, but the website has only recently been designed. Some extensions can bypass detection by using secret tokens required to access their web resources, but there is novel” resource timing comparison” technique to detect if an extension is installed on the endpoint or not.
"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0ccc explained on the project’s GitHub page. “By comparing the timing differences, you can accurately determine if the protected extensions are installed."
To illustrate this fingerprinting technique, the web developer designed an Extension Fingerprints website that will examine a visitor's browser for the existence of web-accessible resources in 1,170 popular extensions available on the Google Chrome Web Store.
The methodology also operates with extensions installed from the Chrome Web Store in Chromium browsers, such as Microsoft Edge. It can spot Edge extensions from Microsoft’s dedicated store, but z0ccc’s website doesn’t support this feature.
Interestingly, the technique doesn’t work for Firefox extensions as the browser extension IDs are unique for every browser instance, making the web-accessible resources URL impossible to identify by third parties.
To restrict fingerprinting via browser extension detection, Chrome users can limit the number of extensions they install on their Chrome and Chromium browsers. Installing more extensions and in unique combinations increases the risk of having multiple tracking hash, which facilitates fingerprinting.
"This is definitely a viable option for fingerprinting users," z0ccc explained in the blog post. "Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc.) users could be very easily identified."
