{"id":449386,"date":"2022-06-20T10:53:33","date_gmt":"2022-06-20T08:53:33","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=449386"},"modified":"2022-06-20T10:58:16","modified_gmt":"2022-06-20T08:58:16","slug":"websites-can-detect-installed-chrome-extensions-and-track-users-with-them","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/software\/449386-websites-can-detect-installed-chrome-extensions-and-track-users-with-them.html","title":{"rendered":"Websites can detect installed Chrome Extensions and track users with them"},"content":{"rendered":"<p>Security-focused web developer z0ccc has created a web application that shows how other websites track users&#8217; Internet activity via their installed Chrome extensions.<\/p>\n<p>&#8220;<strong><a href=\"https:\/\/z0ccc.github.io\/extension-fingerprints\/\" target=\"_blank\" rel=\"noopener\">Extension Fingerprints<\/a><\/strong>&#8221; detects which Chrome extensions a user has installed and generates a unique tracking hash.<\/p>\n<p>&#8220;Chrome extensions can be detected by fetching their web-accessible resources \u2014 the files inside an extension that web pages can access,&#8221; z0ccc <strong><a href=\"https:\/\/github.com\/z0ccc\/extension-fingerprints#resource-timing-comparison\" target=\"_blank\" rel=\"noopener\">explained<\/a><\/strong>.<\/p>\n<p>&#8220;The detected extensions can be used to track you through browser fingerprinting.&#8221;<\/p>\n<p>Browser fingerprinting lets websites build a unique identifier for users from data such as browser type and version, time zone, operating system, active plugins, and language.<\/p>\n<p>The developer said when an author creates a Chrome extension, they can declare certain assets as web-accessible resources.<\/p>\n<p>&#8220;Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension&#8217;s bundle can be made web-accessible,&#8221; z0ccc said.<\/p>\n<p>&#8220;A webpage can successfully fetch an installed extension&#8217;s web-accessible resource. If the fetch fails, it usually means that it is not installed.&#8221;<\/p>\n<p>The developer explained that some extensions prevent detection by generating a secret access token.<\/p>\n<p>&#8220;Any fetch operation made without the secret token will fail. Although it&#8217;s much more difficult to detect these protected extensions, it&#8217;s still possible,&#8221; z0ccc said.<\/p>\n<p>To detect if a user has these protected extensions installed, z0ccc created a resource timing comparison feature.<\/p>\n<p>&#8220;Resources of protected extensions will take longer to fetch than resources of extensions that are not installed.&#8221;<\/p>\n<p>&#8220;By comparing the timing differences, you can accurately determine if the protected extensions are installed,&#8221; the developer said.<\/p>\n<p>The developer <strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-chrome-extensions-can-be-fingerprinted-to-track-you-online\/\" target=\"_blank\" rel=\"noopener\">told<\/a><\/strong> BleepingComputer that users with more extensions have a more unique fingerprint, making them more trackable.<\/p>\n<p>The Extension Fingerprints website only works with Chromium browsers that install extensions from the Chrome Web Store, but it can be modified to work with Microsoft&#8217;s Edge browser.<\/p>\n<p>This method cannot work with Mozilla Firefox since it generates unique extension IDs for every browser instance.<\/p>\n<hr \/>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/internet\/449222-uk-to-ditch-irritating-cookie-pop-ups-thanks-to-brexit.html\">UK to ditch &#8220;irritating&#8221; cookie pop-ups thanks to Brexit<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>A security researcher has demonstrated how websites can track user behaviour by building an online fingerprint from their Google Chrome extensions.<\/p>\n","protected":false},"author":341094,"featured_media":449388,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,16],"tags":[79158,14747,1137,30102,4930],"class_list":["post-449386","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet","category-software","tag-browser-fingerprinting","tag-chrome-extensions","tag-google-chrome","tag-microsoft-edge","tag-mozilla-firefox"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/449386"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341094"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=449386"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/449386\/revisions"}],"predecessor-version":[{"id":449402,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/449386\/revisions\/449402"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/449388"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=449386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=449386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=449386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}