A web developer has created a website that can generate a unique online tracking fingerprint based on Chrome extensions installed in a user’s browser.
The technique is based on fetching the extensions’ web-accessible resources, a type of file within the extension’s infrastructure that web pages can access. By detecting the combination of installed extensions on a user’s browser, the website can generate a unique tracking hash and use it to track the user online.
The procedure was previously demonstrated in 2019, but the website has only recently been created. Some extensions can evade detection by employing secret tokens required to access their web resources.
z0ccc, the web developer behind the project, discovered a novel ”resource timing comparison” technique that can bypass the secret token limitation by running some timing tests.
“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0cccsaid on the project’s GitHub page. “By comparing the timing differences you can accurately determine if the protected extensions are installed.”
z0ccc’s extension fingerprinting website checks for web-accessible resources in visitors’ Chrome browser extensions. Currently, the website works with over 1,000 popular extensions, but it only supports those available on Chrome’s Web Store.
It also works with extensions installed from the Chrome Web Store in Chromium browsers, such as Microsoft Edge. The same technique could detect Edge extensions from Microsoft’s dedicated store, but z0ccc’s website doesn’t support this feature.
It’s worth noting that the method doesn’t work for Firefox extensions. Firefox extension IDs are unique for each browser instance, making the web-accessible resources URL impossible to detect by third parties.
To prevent fingerprinting through browser extension detection, users can limit the number of extensions they install on their Chrome and Chromium browsers. Installing more extensions and in unique combinations increases the odds of having a distinctive tracking hash, which facilitates fingerprinting.