Google Chrome extensions can be used to track users' activities on the web.
A researcher named z0cc has developed a website that, by analyzing the Google Chrome extensions a user has installed on their computer, can produce a digital fingerprint that can be used to follow a user's online activity.
It is possible to construct fingerprints, also known as tracking hashes, to track users on the web. These fingerprints are made up of many details about a device that connects to a website.
Chrome extensions can be identified by retrieving the web-accessible resources of such extensions. Using a method called "browser fingerprinting," the found extensions can be used to find and identify users.
Google Chrome Tracking by Fingerprints
"Extension Fingerprints" is a new fingerprinting site that was released by web developer z0ccc. This site can build a tracking hash for a browser based on the Google Chrome extensions that are currently loaded and installed on that browser.
It is possible to declare specific assets as "web accessible resources" while developing a Chrome browser extension. These resources can then be accessed by web pages or by other extensions.
It is feasible to use resources that are accessible via the internet to check for extensions that have been installed and to produce a fingerprint of a visitor's browser depending on the mix of extensions that are installed in the browser.
As explained by z0cc, "Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension's bundle can be made web accessible."
Preventing Extensions from Tracking
Google Chrome users who have no extensions have the same fingerprint and are less valuable for tracking, whereas those with several extensions have a less common fingerprint that can be used to track them online.
According to Bleeping Computer, z0ccc stated that certain extensions make use of a secret token that must be entered in order to gain access to a web resource in order to avoid being detected.
Nevertheless, the researcher came up with a method called "Resource timing comparison" that can still be utilized to determine whether or not the extension has been deployed.
Some extensions generate a secret token to access their web resources to avoid detection. Fetching fails without the secret token. Detecting protected extensions is tricky but feasible.
Protected extensions' resources load slower than uninstalled ones. Comparing timing discrepancies helps tell if protected extensions are installed.
As an example of how this fingerprinting technique works, z0ccc developed a website called "Extension Fingerprints."
This website checks the visitor's browser to see if there are any web-accessible resources present in any of the 1,170 most popular extensions that can be found in the Google Chrome Web Store.
Adobe Acrobat, ColorZilla, Grammarly, Honey, LastPass, Rakuten, and uBlock are just some of the extensions that the website will recognize as being installed on the user's computer.
Only Chromium browsers that have extensions installed from the Chrome Web Store will be able to use the Extensions Fingerprints website.
This approach is compatible with Microsoft Edge; however, it would need to be altered in order to make use of extension IDs obtained through the Microsoft Extension Store.
Additionally, since Firefox extension IDs are unique for each browser instance, this approach does not work with Mozilla Firefox add-ons.