Researchers have significantly improved the ability to generate a unique fingerprint for your computer by reading how the operating system and hardware respond to certain browser actions.
Cookies used to be the preferred way to track users online, but the same result can be achieved with browser fingerprinting, which use characteristics of the browser when it visits a site to create a unique identifier for the user.
A group of researchers from France's INRIA last year revealed how they could use the configuration of a user's browser and OS when they visit a website to uniquely identify 90 percent of desktops.
That technique has now been trumped by Yinzhi Cao and Song Li from the Lehigh University in Pennsylvania and Erik Wijmans from Washington University in St Louis, who detail a new cross-browser method that can identify 99.24 percent of desktop users. The technique is now available to any website for tracking users.
Besides achieving a higher fingerprinting rate, the new cross-browser fingerprinting technique can track users across different browsers on the same machine, whereas INRIA's technique was limited to tracking a user within a single browser.
The US researchers' approach relies on operating system and hardware features, such as those found in graphics cards, CPU, audio and installed writing scripts. They demonstrate the fingerprinting technique on the UniqueMachine website, which is where they also gather data from test subjects.
Fingerprinted hardware features include the screen resolution, color depth, list of fonts, the number virtual CPU cores, and the audio stack exposed by AudioContext, which researchers from Princeton University have previously used for browser fingerprinting. They've also added several features from the GPU.
However, the researchers highlight that their fingerprinting method fails when encountering the Tor Browser, because it removes most of the features they use to fingerprint a device, with the exception of screen width, height ration, and audio context information.
More on security
- The worst passwords of 2016 are as lazy as ever
- Robots need rights, and kill switches too, warn politicians
- First came mass MongoDB ransacking: Now copycat ransoms hit Elasticsearch
- This phishing scam poses as a charity email, delivers Ramnit banking Trojan malware
- Mobile hacking firm Cellebrite confirms server breach