Section: New Results
BELL: Browser fingerprinting via Extensions and Login-Leaks
Recent work showed that websites can detect browser extensions that users install and websites they are logged into. This poses significant privacy risks, since extensions and Web logins can leak sensitive information and be used to track users via fingerprinting.
In joint work with Gabor Gulyas and Claude Castelluccia (Privatics team, Inria Grenoble), we report on the first large-scale study of this new form of fingerprinting, based on more than 16,000 users who visited our website (https://extensions.inrialpes.fr/). Our website identifies installed Google Chrome extensions via Web Accessible Resources, and detects logged in websites by methods that rely on URL redirection and CSP violation report. Our website is able to test and detect the presence of 16,743 Chrome extensions, covering 28% of all free Chrome extensions. We also test whether the user is connected to 60 different websites.
We compute uniqueness of collected fingerprints, and find out that 54.86% of users that have installed at least one detectable extension are unique; 19.53% are unique because they logged in one or more detectable websites; and 89.23% of users are unique because they have at least one extension and one login detected.