Security-focused web developer z0ccc has created a web application that shows how other websites track users’ Internet activity via their installed Chrome extensions.
“Extension Fingerprints” detects which Chrome extensions a user has installed and generates a unique tracking hash.
“Chrome extensions can be detected by fetching their web-accessible resources — the files inside an extension that web pages can access,” z0ccc explained.
“The detected extensions can be used to track you through browser fingerprinting.”
Browser fingerprinting lets websites build a unique identifier for users from data such as browser type and version, time zone, operating system, active plugins, and language.
The developer said when an author creates a Chrome extension, they can declare certain assets as web-accessible resources.
“Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web-accessible,” z0ccc said.
“A webpage can successfully fetch an installed extension’s web-accessible resource. If the fetch fails, it usually means that it is not installed.”
The developer explained that some extensions prevent detection by generating a secret access token.
“Any fetch operation made without the secret token will fail. Although it’s much more difficult to detect these protected extensions, it’s still possible,” z0ccc said.
To detect if a user has these protected extensions installed, z0ccc created a resource timing comparison feature.
“Resources of protected extensions will take longer to fetch than resources of extensions that are not installed.”
“By comparing the timing differences, you can accurately determine if the protected extensions are installed,” the developer said.
The developer told BleepingComputer that users with more extensions have a more unique fingerprint, making them more trackable.
The Extension Fingerprints website only works with Chromium browsers that install extensions from the Chrome Web Store, but it can be modified to work with Microsoft’s Edge browser.
This method cannot work with Mozilla Firefox since it generates unique extension IDs for every browser instance.