Google Chrome Extensions Can Be Fingerprinted For Online Tracking

A researcher has built a website that utilizes installed Google Chrome extensions to generate a fingerprint of the device that can be used to track the user online.

In tracking users online, it is possible to create fingerprints, or tracking hashes, using the characteristics of a device connected to a website such as GPU performance, installed Windows applications, a device’s screen resolution, hardware configuration, and the installed fonts.

It is then possible to track a device on various sites through the same fingerprinting method.

Very recently, web developer ‘z0ccc’ shared a new fingerprinting site called ‘Extension Fingerprints’ that is able to generate a tracking hash using a browser’s installed Google Chrome extensions.

In building a Chrome browser extension, creators may be able to declare certain assets as ‘web accessible resources’ that web pages or other extensions may be able to access.

It is also possible to utilize web-accessible resources to detect installed extensions and come up with a fingerprint of a visitor’s browser based on the merger of found extensions.

To evade detection, some extensions, according to z0ccc, use a secret token that is required to access a web resource. But the researcher uncovered a ‘Resource timing comparison’ method that may still be used to monitor if the extension is installed.

“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed,” said z0ccc on the project’s GitHub page.

The extensions that the website is able to identify are uBlock, LastPass, Adobe Acrobat, Honey, Grammarly, Rakuten, and ColorZilla.

The Extensions Fingerprints site only functions via Chromium browsers installing extensions from the Chrome Web Store. While this method will likewise work with Microsoft Edge, it still has to be modified to use extension IDs from Microsoft’s extension store.

Finally, this method does not work with Mozilla Firefox add-ons as Firefox extension IDs are unique in each browser instance.

While z0ccc does not have data regarding installed extensions, his own tests illustrate that uBlock is the most ubiquitous extension fingerprint.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web