Section: New Results

BELL: Browser fingerprinting via Extensions and Login-Leaks

Recent work showed that websites can detect browser extensions that users install and websites they are logged into. This poses significant privacy risks, since extensions and Web logins can leak sensitive information and be used to track users via fingerprinting.

In joint work with Gabor Gulyas and Claude Castelluccia (Privatics team, Inria Grenoble), we report on the first large-scale study of this new form of fingerprinting, based on more than 16,000 users who visited our website (https://extensions.inrialpes.fr/). Our website identifies installed Google Chrome extensions via Web Accessible Resources, and detects logged in websites by methods that rely on URL redirection and CSP violation report. Our website is able to test and detect the presence of 16,743 Chrome extensions, covering 28% of all free Chrome extensions. We also test whether the user is connected to 60 different websites.

We compute uniqueness of collected fingerprints, and find out that 54.86% of users that have installed at least one detectable extension are unique; 19.53% are unique because they logged in one or more detectable websites; and 89.23% of users are unique because they have at least one extension and one login detected.

We optimize the fingerprinting algorithm and show that it is possible to fingerprint a user in less than 625 milliseconds by selecting the most identifying combinations of extensions. Moreover, we discover that 22.98% of users can be uniquely identified and tracked by Web logins, even if they disable JavaScript. We conclude with possible countermeasures.