research-article

To Extend or not to Extend: On the Uniqueness of Browser Extensions and Web Logins

Authors:

Gabor Gyorgy Gulyas,

Doliere Francis Some,

Nataliia Bielova,

Claude CastellucciaAuthors Info & Claims

WPES'18: Proceedings of the 2018 Workshop on Privacy in the Electronic Society

Pages 14 - 27

https://doi.org/10.1145/3267323.3268959

Published: 15 January 2018 Publication History

Abstract

Recent works showed that websites can detect browser extensions that users install and websites they are logged into. This poses significant privacy risks, since extensions and Web logins that reflect user's behavior, can be used to uniquely identify users on the Web. This paper reports on the first large-scale behavioral uniqueness study based on 16,393 users who visited our website. We test and detect the presence of 16,743 Chrome extensions, covering 28% of all free Chrome extensions. We also detect whether the user is connected to 60 different websites. We analyze how unique users are based on their behavior, and find out that 54.86% of users that have installed at least one detectable extension are unique; 19.53% of users are unique among those who have logged into one or more detectable websites; and 89.23% are unique among users with at least one extension and one login. We use an advanced fingerprinting algorithm and show that it is possible to identify a user in less than 625 milliseconds by selecting the most unique combinations of extensions. Because privacy extensions contribute to the uniqueness of users, we study the trade-off between the amount of trackers blocked by such extensions and how unique the users of these extensions are. We have found that privacy extensions should be considered more useful than harmful. The paper concludes with possible countermeasures.

References

[1]

AdBlock Official website. https://getadblock.com/.

[2]

Adblockplus official website. https://adblockplus.org/.

[3]

Brave browser. https://brave.com/.

[4]

Chrome Extensions API. https://developer.chrome.com/extensions.

[5]

Content security policy (csp).

[6]

Disconnect Official website. https://disconnect.me/.

[7]

Faceboook website. https://www.facebook.com/.

[8]

Ghostery Official website. https://www.ghostery.com/.

[9]

Google Chrome browser. https://www.google.com/chrome/.

[10]

Google. manifest - web accessible resources.

[11]

Google. manifest file format.

[12]

Google website. https://www.google.com/.

[13]

Google's Gmail. https://gmail.com.

[14]

Lastpass official website. https://www.lastpass.com/business.

[15]

Linkedin website. https://www.linkedin.com/.

[16]

Opera browser. http://www.opera.com/.

[17]

Privacy Badger - Electronic Frontier Foundation. https://www.eff.org/fr/ privacybadger.

[18]

Same Origin Policy. https://www.w3.org/Security/wiki/Same_Origin_Policy.

[19]

WebExtensions web_accessible_resources. https://developer.mozilla.org/en-US/ Add-ons/WebExtensions/manifest.json/web_accessible_resources.

[20]

Youtube website. https://www.youtube.com/.

[21]

G. Acar, C. Eubank, S. Englehardt, M. Juárez, A. Narayanan, and C. Díaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3--7, 2014, pages 674--689, 2014.

Digital Library

[22]

G. Acar, M. Juárez, N. Nikiforakis, C. Díaz, S. F. Gürses, F. Piessens, and B. Preneel. Fpdetective: dusting the web for fingerprinters. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4--8, 2013, pages 1129--1140, 2013.

Digital Library

[23]

J. P. Achara, G. Ács, and C. Castelluccia. On the unicity of smartphone applications. CoRR, abs/1507.07851, 2015.

Digital Library

[24]

T. Anthony. Detect if visitors are logged into twitter, facebook or google+. http://www.tomanthony.co.uk/blog/detect-visitor-social-networks/, 2012.

[25]

K. Boda, Á. M. Földes, G. G. Gulyás, and S. Imre. User tracking on the web via cross-browser fingerprinting. In Information Security Technology for Applications - 16th Nordic Conference on Secure IT Systems, NordSec 2011, Tallinn, Estonia, October 26--28, 2011, Revised Selected Papers, pages 31--46, 2011.

Digital Library

[26]

M. Bryant. Dirty browser enumeration tricks - using chrome:// and about: to detect firefox and addons. https://thehackerblog.com/ dirty-browser-enumeration-tricks-using-chrome-and-about-to-detect-firefox-plugins/ index.html, 2014.

[27]

Y. Cao, S. Li, and E. Wijmans. (cross-)browser fingerprinting via os and hardware level features. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February - 1 March, 2017, 2017. To Appear.

[28]

G. Cattani. The evolution of chrome extensions detection. http://blog.beefproject. com/2013/04/the-evolution-of-chrome-extensions.html, 2013.

[29]

Y.-A. de Montjoye, C. A. Hidalgo, M. Verleysen, and V. D. Blondel. Unique in the crowd: The privacy bounds of human mobility. Scientific Reports, 3:1376 EP --, 2013.

[30]

P. Eckersley. How unique is your web browser? In Privacy Enhancing Technologies, 10th International Symposium, PETS 2010, Berlin, Germany, July 21--23, 2010. Proceedings, pages 1--18, 2010.

Digital Library

[31]

A. Elsobky. Novel techniques for user deanonymization attacks. https://0xsobky. github.io/novel-deanonymization-techniques/, 2016.

[32]

S. Englehardt and A. Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016, pages 1388--1401, 2016.

Digital Library

[33]

H. Gamboa, A. L. N. Fred, and A. K. Jain. Webbiometrics: User verification via web interaction. In 2007 Biometrics Symposium, pages 1--6, 2007.

[34]

A. Gómez-Boix, P. Laperdrix, and B. Baudry. Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In Web Conference (WWW 2018), Lyon, France, 2018.

Digital Library

[35]

J. Grossman. I know what you've got (firefox extensions). http://blog. jeremiahgrossman.com/2006/08/i-know-what-youve-got-firefox.html, 2006.

[36]

J. Grossman. Login detection, whose problem is it? http://blog.jeremiahgrossman. com/2008/03/login-detection-whose-problem-is-it.html, 2008.

[37]

G. G. Gulyás, G. Acs, and C. Castelluccia. Code repository for paper titled 'near-optimal fingerprinting with constraints'. https://github.com/gaborgulyas/ constrainted_fingerprinting, 2016.

[38]

G. G. Gulyás, G. Acs, and C. Castelluccia. Near-optimal fingerprinting with constraints. Proceedings on Privacy Enhancing Technologies, 2016(4):470--487, 2016.

[39]

J. Haag. Modern and flexible browser fingerprinting library. https://github.com/ Valve/fingerprintjs2.

[40]

B. Hayes. Uniquely me! how much information does it take to single out one person among billions? 102:106--109, 2014.

[41]

E. Homakov. Using content-security-policy for evil. http://homakov.blogspot.fr/ 2014/01/using-content-security-policy-for-evil.html, 2014.

[42]

E. Homakov. Profilejacking - legal tricks to detect user profile. https://sakurity. com/blog/2015/03/10/Profilejacking.html, 2015.

[43]

K. Kotowitz. Intro to chrome addons hacking: fingerprinting. http://blog.kotowicz. net/2012/02/intro-to-chrome-addons-hacking.html, 2012.

[44]

P. Laperdrix. Browser Fingerprinting: Exploring Device Diversity to Augment Authentication and Build Client-Side Countermeasures. PhD thesis, INSA Rennes, 2017.

[45]

P. Laperdrix, W. Rudametkin, and B. Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22--26, 2016, pages 878--894, 2016.

[46]

R. Linus. Your social media fingerprint. https://robinlinus.github.io/ socialmedia-leak/, 2016.

[47]

G. Merzdovnik, M. Huber, D. Buhov, N. Nikiforakis, S. Neuner, M. Schmiedecker, and E. Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In 2nd IEEE European Symposium on Security and Privacy, Paris, France, 2017. To appear.

[48]

K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In M. Fredrikson, editor, Proceedings of W2SP 2012. IEEE Computer Society, May 2012.

[49]

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19--22, 2013, pages 541--555, 2013.

Digital Library

[50]

Olejnik, C. Castelluccia, and A. Janc. Why johnny can't browse in peace: On the uniqueness of web browsing history patterns. In Hot Topics in Privacy Enhancing Technologies (HotPETs 2012), 07 2012.

[51]

I. Paul. Firefox will stop supporting plugins by end of 2016, following chrome's lead. https://www.pcworld.com/article/2990991/browsers/ firefox-will-stop-supporting-npapi-plugins-by-end-of-2016-following-chromes-lead. html.

[52]

M. Pusara and C. Brodley. User re-authentication via mouse movements. In ACM Workshop Visualizat. Data Mining Comput. Security, page 1--8, 2004.

Digital Library

[53]

J. Roth, X. Liu, and D. Metaxas. On continuous user authentication via typing behavior. 23(10):4611--4624, 2014.

[54]

I. Sánchez-Rola, I. Santos, and D. Balzarotti. Extension breakdown: Security analysis of browsers extension resources control policies. In 26th USENIX Security Symposium, pages 679--694, 2017.

Digital Library

[55]

J. Schuh. Canvas DefendeSaying Goodbye to Our Old Friend NPAPI, September 2013. https://blog.chromium.org/2013/09/ saying-goodbye-to-our-old-friend-npapi.html.

[56]

A. Sjösten, S. Van Acker, and A. Sabelfeld. Discovering browser extensions via web accessible resources. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY '17, pages 329--336, New York, NY, USA, 2017. ACM.

Digital Library

[57]

S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In Proceedings of the 19th International Conference on World Wide Web, WWW 2010, Raleigh, North Carolina, USA, April 26--30, 2010, pages 921--930, 2010.

Digital Library

[58]

O. Starov and N. Nikiforakis. Xhound: Quantifying the fingerprintability of browser extensions. In Proceedings of the 38th IEEE Symposium on Security and Privacy, pages 941--956, 2017.

[59]

A. Vastel, P. Laperdrix, W. Rudametkin, and R. Rouvoy. FP-STALKER: Tracking Browser Fingerprint Evolutions. In 39th IEEE Symposium on Security and Privacy (S&P 2018), 2018.

[60]

M.West, A. Barth, and D. Veditz. Content Security Policy Level 2. W3C Candidate Recommendation, 2015.

[61]

Y. Zhong, Y. Deng, and A. K. Jain. Keystroke dynamics for user authentication. In 2012 IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops, Providence, RI, USA, June 16--21, 2012, pages 117--123, 2012.

Cited By

Qiang WRen KWu YZou DJin H(2024)DeepFPD: Browser Fingerprinting Detection via Deep Learning With Multimodal Learning and AttentionIEEE Transactions on Reliability10.1109/TR.2024.335523373:3(1516-1528)Online publication date: Sep-2024
https://doi.org/10.1109/TR.2024.3355233
Kim YLee BCalandrino JTroncoso C(2023)Extending a hand to attackersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620632(7055-7071)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620632
Kim BMirza SPöpper CKnijnenburg BPapadimitratos P(2023)Extending Browser Extension Fingerprinting to Mobile DevicesProceedings of the 22nd Workshop on Privacy in the Electronic Society10.1145/3603216.3624955(141-146)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3603216.3624955
Show More Cited By

Index Terms

To Extend or not to Extend: On the Uniqueness of Browser Extensions and Web Logins
1. Security and privacy

Recommendations

Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions
WWW '17: Proceedings of the 26th International Conference on World Wide Web

Users have come to rely on browser extensions to realize features that are not implemented by browser vendors. Extensions offer users the ability to, among others, block ads, de-clutter websites, enrich pages with third-party content, and take ...
Cookies That Give You Away: The Surveillance Implications of Web Tracking
WWW '15: Proceedings of the 24th International Conference on World Wide Web

We study the ability of a passive eavesdropper to leverage "third-party" HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which tags the browser with a unique cookie, then the adversary can link visits to those pages ...
Using maude rewriting system to modularize and extend SQL
SAC '13: Proceedings of the 28th Annual ACM Symposium on Applied Computing

One of the deficiencies of SQL is that it allows little practical support for factoring, parametrization and modularization of complex SQL statements. Using dynamic SQL or macroprocessors for this purpose is error prone and inconvenient. This paper ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES'18: Proceedings of the 2018 Workshop on Privacy in the Electronic Society

October 2018

190 pages

ISBN:9781450359894

DOI:10.1145/3267323

General Chairs:
David Lie
University of Toronto, Canada
,
Mohammad Mannan
Concordia University, Canada
,
Program Chair:
Aaron Johnson
U.S. Naval Research Laboratory, USA

Copyright © 2018 ACM.

© 2018 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 January 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15, 2018

Toronto, Canada

Acceptance Rates

WPES'18 Paper Acceptance Rate 11 of 25 submissions, 44%;

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
428
Total Downloads

Downloads (Last 12 months)52
Downloads (Last 6 weeks)4

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Qiang WRen KWu YZou DJin H(2024)DeepFPD: Browser Fingerprinting Detection via Deep Learning With Multimodal Learning and AttentionIEEE Transactions on Reliability10.1109/TR.2024.335523373:3(1516-1528)Online publication date: Sep-2024
https://doi.org/10.1109/TR.2024.3355233
Kim YLee BCalandrino JTroncoso C(2023)Extending a hand to attackersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620632(7055-7071)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620632
Kim BMirza SPöpper CKnijnenburg BPapadimitratos P(2023)Extending Browser Extension Fingerprinting to Mobile DevicesProceedings of the 22nd Workshop on Privacy in the Electronic Society10.1145/3603216.3624955(141-146)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3603216.3624955
Lin XAraujo FTaylor TJang JPolakis J(2023)Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers' Anti-Fingerprinting Defenses2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179437(987-1004)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179437
Tiwari APrakash JRahimov AHammer C(2023)Understanding the Impact of Fingerprinting in Android Hybrid Apps2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)10.1109/MOBILSoft59058.2023.00011(28-39)Online publication date: May-2023
https://doi.org/10.1109/MOBILSoft59058.2023.00011
Bucci VLi W(2023)From Manifest V2 to V3: A Study on the Discoverability of Chrome ExtensionsInformation Security10.1007/978-3-031-49187-0_10(183-202)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-49187-0_10
Solomos KIlia PNikiforakis NPolakis JYin HStavrou ACremers CShi E(2022)Escaping the Confines of TimeProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560576(2675-2688)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560576
Gunnarsson PJakobsson ACarlsson N(2022)On the Impact of Internal Webpage Selection when Evaluating Ad Blocker Performance2022 30th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS)10.1109/MASCOTS56607.2022.00014(41-48)Online publication date: Oct-2022
https://doi.org/10.1109/MASCOTS56607.2022.00014
Lyu TLiu LZhu FYang JHu SHuang Y(2022)NEEX: An Automated and Efficient Tool for Detecting Browser Extension FingerprintEmerging Information Security and Applications10.1007/978-3-030-93956-4_2(21-35)Online publication date: 12-Jan-2022
https://doi.org/10.1007/978-3-030-93956-4_2
Di Tizio GMassacci F(2021)A Calculus of Tracking: Theory and PracticeProceedings on Privacy Enhancing Technologies10.2478/popets-2021-00272021:2(259-281)Online publication date: 29-Jan-2021
https://doi.org/10.2478/popets-2021-0027
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents