Extensions installed in web browsers can be used for tracking purposes. Some extensions use resources accessible by sites loaded in the browser; the information can be used to determine if extensions are installed, and even which extensions.

Fingerprinting describes a series of tracking techniques that websites and apps can use to track users. The techniques use information, either provided automatically by the browser or operating system, or manually, through the use of scripts. Unique fingerprints are the goal, as they allow sites to accurately distinguish visitors. Most of the time, fingerprints are used in combination with other tracking methods.

Browser extensions may use web-accessible resources; not all, but thousands use these resources. These resources, for example images, can be accessed by websites that are loaded in the browser. The extension developer must explicitly declare web-accessible resources in the manifest.

Extension Fingerprints is an open source script that checks if these extensions are installed in the user’s browser. The developer has added scans for more than 1000 extensions to the script, which are the most popular from the user’s installation point of view. Popular browser extensions such as Google Translate, Honey, Avast Online Security & Privacy, Malwarebytes Browser Guard, LastPass, Cisco Webex Extension, DuckDuckGo Privacy Essentials, or Amazon Assistant for Chrome use web-accessible resources.

The list can be expanded to add extensions with less than 70,000 users to the mix, which would improve detections and fingerprinting.

Point your web browser to this page to run the browser fingerprint test. The script that runs on the page checks for the existence of web-accessible resources and uses the information to indicate how unique the fingerprint is.

The browser fingerprint is shared with the majority of users if none of the extensions the script looks for are installed.

You can check the browser extension’s manifest file to see if it contains any web-accessible resource leaks. Download the extension, extract it and check the manifest file this way, or use the Chrome Extension Source Viewer extension to view it in the browser.

Browser extensions have been used for tracking and fingerprinting in the past. In 2017, researchers created a technique that monitored browser response time to determine if extensions were installed. That same year, researchers discovered a problem with Firefox’s WebExtensions credentials.

Closing words

Internet users have no viable option to protect their identity from this fingerprinting method. Uninstalling extensions with web-accessible resources or blocking JavaScript by default may not be viable options.

Now you: Do you use browser extensions?

Advertising