Google Chrome Extensions Can Be Used To Track You Online – How Come?


Google Chrome extensions can be used to track user activities on the web.

A researcher named z0cc has developed a website that, by analyzing the Google Chrome extensions a user has installed on their computer, can produce a digital fingerprint that can be used to track a user’s online activity.

It is possible to construct fingerprints, also known as tracking hashes, to track users across the web. These fingerprints consist of many details about a device that logs into a website.

Chrome extensions can be identified by retrieving the web-accessible resources of those extensions. Using a method called “browser fingerprinting”, the extensions found can be used to search and identify users.

Google Chrome Fingerprint Tracking

“Fingerprints Extension” is a new fingerprint site released by web developer z0ccc. This site may create a tracking hash for a browser based on the Google Chrome extensions currently loaded and installed on that browser.

It is possible to declare specific assets as “web-accessible resources” when developing a Chrome browser extension. These resources can then be accessed through web pages or other extensions.

It is possible to use resources accessible via the Internet to verify which extensions have been installed and to produce a fingerprint of a visitor’s browser based on the combination of extensions installed in the browser.

As explained by z0cc“Web-accessible resources are files inside an extension that are accessed by web pages or other extensions. Extensions typically use this feature to expose images or other elements that need to be loaded into web pages, but anything included in an extension’s bundle can be made accessible on the web.”

Read also: Will Amazon run out of workers by 2024? Leaked memo shows the company thinks so

Prevent Extension Tracking

Google Chrome users who don’t have extensions have the same fingerprint and are less useful for tracking, while those who have multiple extensions have a less common fingerprint that can be used to track them online.

According beeping computerz0ccc said that some extensions use a secret token that must be entered to access a web resource to avoid detection.

Nevertheless, the researcher has come up with a method called “Resource Temporal Comparison” which can still be used to determine whether the extension has been deployed or not.

Some extensions generate a secret token to access their web resources to avoid detection. Recovery fails without the secret token. Detecting protected extensions is tricky but doable.

Assets in protected extensions load slower than uninstalled ones. Comparing timing gaps helps determine if protected extensions are installed.

To illustrate how this fingerprinting technique works, z0ccc has developed a website called “Fingerprints Extension”.

This website checks the visitor’s browser to see if there are any web-accessible resources present in any of the most popular 1170 extensions that can be found in the Google Chrome Web Store.

Adobe Acrobat, ColorZilla, Grammarly, Honey, LastPass, Rakuten and uBlock are just some of the extensions that the website will recognize as installed on the user’s computer.

Only Chromium browsers with extensions installed from the Chrome Web Store will be able to use the Extensions Fingerprints website.

This approach is compatible with Microsoft Edge; however, it should be modified to use extension IDs obtained through the Microsoft Extension Store.

Also, since Firefox extension IDs are unique for each browser instance, this approach does not work with Mozilla Firefox add-ons.

Related article: New Google Chrome extension hides location data that could leak even when using a VPN


Comments are closed.