Academics have come up with a new technique that leaks data about users' browsers; enough to defeat anti-fingerprinting systems and privacy-preserving browser extensions to provide ways to identify users by their browser and underlying platform in a way that has not been done before.
The research team says these templates can be used at a later point to scan a visiting user and detect specific environment details based on the default property values the user's browser's returns.
This data can be used for creating user profiles (for traffic/user fingerprinting) that break user anonymity or for devious means, like refining the targeting of zero-day exploits.
A pretty powerful & accurate attack
The research team said tests showed their method was able to distinguish between all 40 tested environments; distinguish browser down to exact version; determine installed extensions based on how they modified native property values; determine even individual extension settings; determine extremely technical details such as the CPU vendor, actual operating system (not the one declared by user agents, which can be faked); determine the presence of a browser private mode; and even if the browser was running from within a virtual machine.
This information might be useful for tracking or might be more useful for refining exploits. It all depends on what the threat actor is trying to do, but the conclusion is that the method is reliable enough to work and bypass even privacy-hardened environments, like Tor on Android.
More browser coverage:
- Apple deprecates SHA-1 certificates in Safari
- Opera launches Opera GX, world's first gaming browser
- Google promises to play nice with ad blockers (again)
- Opera, Brave, Vivaldi to ignore Chrome's ad-blocker changes, despite shared codebase
- Mozilla CEO: Premium version of Firefox coming this fall
- Google Chrome 75 released with secret Reader Mode
- How to use the Tor browser on an Android device TechRepublic
- Brave's privacy-first browser ads arrive with promised payout for you CNET