Home Chrome Extensions may be dangerous

Chrome Extensions may be dangerous

High Alert

Chrome Chrome

Google Chrome extensions can be used to track users’ activities on the web. Researcher, z0cc has developed a website that, by analyzing the Google Chrome extensions a user has installed on their computer, can produce a digital fingerprint that can be used to follow a user’s online activity. It is possible to construct fingerprints, also known as tracking hashes, to track users on the web. These fingerprints are made up of many details about a device that connects to a website. Chrome extensions can be identified by retrieving the web-accessible resources of such extensions. Using a method called “browser fingerprinting,” the found extensions can be used to find and identify users. “Extension Fingerprints” is a new fingerprinting site that was released by web developer z0ccc. This site can build a tracking hash for a browser based on the Google Chrome extensions that are currently loaded and installed on that browser. It is possible to declare specific assets as “web accessible resources” while developing a Chrome browser extension. These resources can then be accessed by web pages or by other extensions. It is feasible to use resources that are accessible via the internet to check for extensions that have been installed and to produce a fingerprint of a visitor’s browser depending on the mix of extensions that are installed in the browser. As explained by z0cc, “Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web accessible.” Google Chrome users who have no extensions have the same fingerprint and are less valuable for tracking, whereas those with several extensions have a less common fingerprint that can be used to track them online. Certain extensions make use of a secret token that must be entered in order to gain access to a web resource in order to avoid being detected.

This post is licensed under CC BY 4.0 by the author.