Fingerprinting Google Chrome Extensions to Track You Online
A researcher has developed a website that leverages your installed Google Chrome Extensions to produce a fingerprint of your device that can be utilized to track you online. To track users online, it's possible to create fingerprints, or tracking hashes, based on several features of a device connecting to a website. These features include GPU performance, installed Windows applications, hardware configuration, a device's screen resolution, and even the installed fonts.
Fingerprints from Installed Chrome Extensions
On 18th June 2022, web creator 'z0ccc' shared a new fingerprinting site - Extension Fingerprints that can produce a tracking hash based on a browser's installed Chrome extensions. When developing a browser extension, it's possible to declare particular assets as web-accessible resources that web pages or other extensions can access. These can be image files finalized using the 'web_accessible_resources' feature in an extension's manifest file.
Revealed in 2019, it's possible to leverage web-accessible resources to check for installed extensions and produce a fingerprint of a visitor's browser depending on the combination of found extensions. To prevent detection, z0ccc says that few extensions leverage a secret token needed to access a web resource. However, the researcher found a Resource timing comparison approach that can still be utilized to detect if the extension is installed.
To display this fingerprinting technique, z0ccc developed an Extension Fingerprints website that will monitor a visitor's browser for the existence of web-accessible resources in 1170 popular extensions on the Chrome Web Store. For example, the site will identify extensions: ColorZilla, LastPass, Grammarly, Honey, uBlock, Rakuten, and Adobe Acrobat.
Websites with no extensions installed will have the same fingerprint and be less beneficial for tracking, and those with many will have a less common fingerprint that can be used to track online.
The Most Commonly Installed Extension: uBlock
While z0ccc isn't collecting any data regarding installed extensions, his tests showed that uBlock installed is the most common extension. z0ccc shared, by far the most popular, doesn't have any extensions installed. Priorly said, it doesn't collect specific extension data, but in my testing, it seems that having only uBlock installed is a standard extension fingerprint.
z0ccc says the 0.006% indicates that you're the only user with that combination of extensions, but this will transform as more people visit the site. Extensions Fingerprints has been launched as an open-source React project on GitHub, letting people see how to query the presence of installed extensions.\