A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint of your device that can be used to track you online.
To track users on the web, it is possible to create fingerprints, or tracking hashes, based on various characteristics of a device connecting to a website. These characteristics include GPU performance, installed Windows applications, a device’s screen resolution, hardware configuration, and even the installed fonts.
It is then possible to track a device across sites using the same fingerprinting method.
Fingerprint from installed Chrome extensions
Yesterday, web developer ‘z0ccc’ shared a new fingerprinting site called ‘Extension Fingerprints’ that can generate a tracking hash based on a browser’s installed Google Chrome extensions.
When creating a Chrome browser extension, it is possible to declare certain assets as ‘web accessible resources‘ that web pages or other extensions can access.
These resources are typically image files, which are declared using the ‘web_accessible_resources‘ property in a browser extension’s manifest file.
An example declaration of web-accessible resources is shown below:
Fingerprint from installed Chrome extensions
Yesterday, web developer ‘z0ccc’ shared a new fingerprinting site called ‘Extension Fingerprints’ that can generate a tracking hash based on a browser’s installed Google Chrome extensions.
When creating a Chrome browser extension, it is possible to declare certain assets as ‘web accessible resources‘ that web pages or other extensions can access.
These resources are typically image files, which are declared using the ‘web_accessible_resources‘ property in a browser extension’s manifest file.
An example declaration of web-accessible resources is shown below:
Some popular extensions, such as MetaMask, do not expose any resources, but z0ccc could still identify if they are installed by checking if “typeof window.ethereum equals undefined.”
While those with no extensions installed will have the same fingerprint and be less useful for tracking, those with many extensions will have a less common fingerprint that can be used to track them around the web.
However, adding other characteristics to the fingerprinting model can further refine the fingerprint, making the hashes unique per user.
“This is definitely a viable option for fingerprinting users,” z0ccc explained in an email to BleepingComputer.
“Especially using the ‘fetching web accessible resources’ method. If this is combined with other user data (like user agents, timezones etc) users could be very easily identified.”
with no extensions
The Extensions Fingerprints site only works with Chromium browsers installing extensions from the Chrome Web Store. While this method will work with Microsoft Edge, it would need to be modified to use extension IDs from Microsoft’s extension store.
This method does not work with Mozilla Firefox add-ons as Firefox extension IDs are unique for every browser instance.
uBlock is the most commonly installed
While z0ccc is not collecting any data regarding installed extensions, his own tests showed that uBlock installed is the most common extension fingerprint.
“By far the most popular is having no extensions installed. As previously said I do not collect specific extension data but in my own testing it seems that having only ublock installed is a common extension fingerprint,” shared z0ccc.
“Having 3+ detectable extensions installed seems to always make your fingerprint very unique.”
Below are the percentages of users with various popular extensions installed from tests conducted by BleepingComputer.
- 58.248% – No extensions installed or enabled.
- 2.065% – Only Google Docs Offline, which is the only extension installed by default.
- 0.528% – uBlock Origin + Google Docs Offline
- 0.238% – AdBlock + Google Docs Offline
- 0.141% – Adobe Acrobat + Google Docs Offline
- 0.122% – Google Translate + Google Docs Offline
- 0.019% – Malwarebytes Browser Guard
- 0.058% – Grammarly + Google Docs Offline
- 0.058% – LastPass + Google Docs Offline
- 0.051% – Honey + Google Docs Offline
- 0.013% – ColorZilla + Google Docs Offline
In our tests, installing three to four extensions brought the percentage of users using the same extension to as low as 0.006%. Obviously, the more installed extensions, the fewer people will have the same combination installed.
z0ccc says the 0.006% percentage indicates that you are the only user with that combination of extensions, but this will change as more people visit the site.
Extension Fingerprints has been released as an open-source React project on GitHub, allowing anyone to see how to query for the presence of installed extensions.
Update 6/19/22: Clarified that z0ccc did not discover the method to detect installed extensions but rather the timing comparison method.