Gummy Browsers is a new fingerprint collecting and browser spoofing threat developed by university researchers in the United States. They warn about how simple it is to carry out the attack and the serious consequences it might have. The 'Gummy Browsers' attack involves obtaining a person's fingerprint by forcing them to visit an attacker-controlled website, then utilizing that fingerprint to fake that person's identity on a target platform.
The researchers created the following way to impersonate the user on other sites after establishing a fingerprint of the user using existing or custom scripts:
• Script injection - Spoofing the fingerprint of the victim by running scripts (with Selenium) that deliver values retrieved from JavaScript API calls.
• Browser setting and the debugging tool - Both can be used to change the browser attributes to any custom value, which affects both the JavaScript API and the HTTP header value.
• Script manipulation - Modifying the scripts placed in the website before they are transmitted to the webserver to change the browser properties with faked values.
A digital fingerprint is a one-of-a-kind online identifier linked to a certain person based on a device's characteristics. IP addresses, browser and OS versions, installed software, active add-ons, cookies, and even how a user moves their mouse or enters on the keyboard are all examples of these characteristics. These fingerprints can be used by websites and advertisers to verify that a visitor is human, monitor a user across several sites, and serve tailored advertising. Some authentication systems use fingerprints as well, allowing MFA or other security features to be circumvented if a valid fingerprint is identified.
The researchers claimed they could fool state-of-the-art fingerprinting solutions like FPStalker and Panopliclick for long periods of time by just capturing the victim's fingerprint once.
The researchers explained their findings in an Arxiv paper, "Our results showed that Gummy Browsers can successfully impersonate the victim’s browser transparently almost all the time without affecting the tracking of legitimate users."
The attack system obtained average false-positive rates of greater than 0.95 in experimental tests, meaning that most of the faked fingerprints were misidentified as real ones, successfully fooling the digital fingerprinting algorithms. A breach of ad privacy and a bypass of defensive procedures put in place to verify users and detect fraud are two consequences of such an assault.
"The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser fingerprinting is starting to get widely adopted in the real world," the researchers concluded. "In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale."