Google Chrome logo on a red starburst

Google Chrome extensions can be fingerprinted to track you online

Google Chrome logo on a red starburst

A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint of your device that can be used to track you online.

To track users on the Internet, it is possible to create fingerprints or tracking hashes based on various characteristics of a device connecting to a website. These features include: GPU Performanceinstalled Windows applicationsa device’s screen resolution, hardware configuration, and even the installed fonts

It is then possible to track a device in different locations using the same fingerprint method.

Fingerprint of installed Chrome extensions

Yesterday, web developer ‘z0ccc’ shared a new fingerprint site called ‘Extension Fingerprints’ that can generate a tracking hash based on the Google Chrome extensions installed by a browser.

When creating a Chrome browser extension, it is possible to declare certain items as ‘web accessible resources‘ which web pages or other extensions can access.

These resources are usually image files, which are declared with the ‘web_accessible_resources‘ property in the manifest file of a browser extension.

An example declaration of web-accessible resources is shown below:

"web_accessible_resources": [
    {
      "resources": [ "logo.png" ],
      "matches": [ "https://www.bleepingcomputer.com/*" ]
    }
],

As previously announced in 2019it is possible to use web-accessible resources to check for installed extensions and generate a fingerprint of a visitor’s browser based on the combination of extensions found.

To avoid detection, z0ccc says that some extensions use a secret token needed to access a web resource. However, the researcher discovered a ‘Resource timing comparison’ method that can still be used to detect if the extension is installed.

“It takes longer to retrieve resources from protected extensions than resources from extensions that are not installed. By comparing the timing differences, you can accurately determine whether the protected extensions are installed,” explains z0ccc about the project. GitHub page

To illustrate this fingerprint method, z0ccc created an Extension Fingerprints website which checks a visitor’s browser for the existence of web-accessible resources in 1170 popular extensions available on the Google Chrome Web Store.

Some of the extensions that the website will identify are uBlock, LastPass, Adobe Acrobat, Honey, Grammarly, Rakuten, and ColorZilla.

Based on the combination of extensions installed, the website generates a tracking hash that can be used to track that particular browser as shown below.

Generate an extension fingerprint
Generate an extension fingerprint
Source: BleepingComputer

Some popular extensions, such as MetaMask, do not provide resources, but z0ccc can still identify if they are installed by checking that “typeof window.ethereum equals undefined.”

While those with no extensions installed will have the same fingerprint and will be less useful for tracking, those with many extensions will have a less common fingerprint that can be used to track them around the web.

However, adding other attributes to the fingerprint model can further refine the fingerprint, making the hashes unique per user.

“This is certainly a viable option for fingerprint users,” z0ccc explained in an email to BleepingComputer.

“Especially using the ‘retrieve web-accessible resources’ method. When combined with other user data (such as user agents, time zones, etc.), users can be identified very easily.”
without extensions

The Extensions Fingerprints site only works with Chromium browsers that install extensions from the Chrome Web Store. While this method works with Microsoft Edge, it must be modified to use extension IDs from Microsoft’s extension store.

This method will not work with Mozilla Firefox add-ons, as Firefox extension IDs are unique for each browser instance.

uBlock is the most installed

While z0ccc does not collect data about installed extensions, its own tests have shown that installed uBlock is the most common fingerprint of extensions.

“By far the most popular is that no extensions are installed. As mentioned before, I don’t collect any specific extension data, but in my own testing, it seems that installing only ublock is a common extension fingerprint,” shared z0ccc.

“If you have 3+ discoverable extensions installed, your fingerprint always seems to be very unique.”

Below are the percentages of users with various popular extensions installed from tests conducted by BleepingComputer.

  • 58.248% – No extensions installed or enabled.
  • 2.065% – Only Google Docs Offline, the only extension installed by default.
  • 0.528% – uBlock Origin + Google Docs Offline
  • 0.238% – AdBlock + Google Docs Offline
  • 0.141% – Adobe Acrobat + Google Docs Offline
  • 0.122% – Google Translate + Google Docs Offline
  • 0.019% – Malwarebytes Browser Guard
  • 0.058% – Grammar + Google Docs Offline
  • 0.058% – LastPass + Google Docs Offline
  • 0.051% – Honey + Google Docs Offline
  • 0.013% – ColorZilla + Google Docs Offline

In our tests, installing three to four extensions brought the percentage of users using the same extension to just 0.006%. Obviously, the more extensions installed, the fewer people have the same combination installed.

z0ccc says the percentage of 0.006% indicates that you are the only user with that combination of extensions, but this will change as more people visit the site.

Extension Fingerprints has been released as a open-source React project on GitHubso that everyone can see how to request the presence of installed extensions.

Update 6/19/22: Clarifies that z0ccc did not discover the method to detect installed extensions, but rather the method to compare timing.

Leave a Comment

Your email address will not be published.