XSS-FP: Browser Fingerprinting using HTML Parser Quirks

There are many scenarios in which inferring the type of a client browser is desirable, for instance to fight against session stealing. This is known as browser fingerprinting. This paper presents and evaluates a novel fingerprinting technique to determine the exact nature (browser type and version, eg Firefox 15) of a web-browser, exploiting HTML parser quirks exercised through XSS. Our experiments show that the exact version of a web browser can be determined with 71% of accuracy, and that only 6 tests are sufficient to quickly determine the exact family a web browser belongs to

How to design browser security and privacy alerts

Browser security and privacy alerts must be designed to ensure they are of value to the end-user, and communicate risks efficiently. We performed a systematic literature review, producing a list of guidelines from the research. Papers were analysed quantitatively and qualitatively to formulate a comprehensive set of guidelines. Our findings seek to provide developers and designers with guidance as to how to construct security and privacy alerts. We conclude by providing an alert template, highlighting its adherence to the derived guidelines

Creating a Better Browser Fingerprint

Web browser fingerprinting is used to analyze client behavior through retrieval of browser attributes unique to the user’s browser, network and hardware profile. Third-party trackers are prevalent on the top Alexa sites and use JavaScript to retrieve and store user machine information in a stateless fashion. Stateless fingerprinting is performed through acquisition of client machine specifiers through an embedded JavaScript, which then forwards the information to a server. The client information is purportedly used to provide tailored advertising and enhance the browsing experience. However, the depth of captured client information often extends into the realm of personally identifiable information. The user is often unaware of privacy issues and how their information is disseminated for profit, or the risk of such data being used by hackers to exploit divulged vulnerabilities. We review fingerprinting techniques from previous works that delineate seminal methods and countermeasures, and present a novel fingerprinting JavaScript that measure over 200 Windows and Navigator object properties. The results reveal new parameters that can be used to generate unique user identifiers, and accurately track individual browsing behavior. These findings may be used by developers of anti-tracking software to improve efficacy and preserve individual privacy

Web Tracking: Mechanisms, Implications, and Defenses

This articles surveys the existing literature on the methods currently used by web services to track the user online as well as their purposes, implications, and possible user's defenses. A significant majority of reviewed articles and web resources are from years 2012-2014. Privacy seems to be the Achilles' heel of today's web. Web services make continuous efforts to obtain as much information as they can about the things we search, the sites we visit, the people with who we contact, and the products we buy. Tracking is usually performed for commercial purposes. We present 5 main groups of methods used for user tracking, which are based on sessions, client storage, client cache, fingerprinting, or yet other approaches. A special focus is placed on mechanisms that use web caches, operational caches, and fingerprinting, as they are usually very rich in terms of using various creative methodologies. We also show how the users can be identified on the web and associated with their real names, e-mail addresses, phone numbers, or even street addresses. We show why tracking is being used and its possible implications for the users (price discrimination, assessing financial credibility, determining insurance coverage, government surveillance, and identity theft). For each of the tracking methods, we present possible defenses. Apart from describing the methods and tools used for keeping the personal data away from being tracked, we also present several tools that were used for research purposes - their main goal is to discover how and by which entity the users are being tracked on their desktop computers or smartphones, provide this information to the users, and visualize it in an accessible and easy to follow way. Finally, we present the currently proposed future approaches to track the user and show that they can potentially pose significant threats to the users' privacy.Comment: 29 pages, 212 reference

To Extend or not to Extend: on the Uniqueness of Browser Extensions and Web Logins

Recent works showed that websites can detect browser extensions that users install and websites they are logged into. This poses significant privacy risks, since extensions and Web logins that reflect user's behavior, can be used to uniquely identify users on the Web. This paper reports on the first large-scale behavioral uniqueness study based on 16,393 users who visited our website. We test and detect the presence of 16,743 Chrome extensions, covering 28% of all free Chrome extensions. We also detect whether the user is connected to 60 different websites. We analyze how unique users are based on their behavior, and find out that 54.86% of users that have installed at least one detectable extension are unique; 19.53% of users are unique among those who have logged into one or more detectable websites; and 89.23% are unique among users with at least one extension and one login. We use an advanced fingerprinting algorithm and show that it is possible to identify a user in less than 625 milliseconds by selecting the most unique combinations of extensions. Because privacy extensions contribute to the uniqueness of users, we study the trade-off between the amount of trackers blocked by such extensions and how unique the users of these extensions are. We have found that privacy extensions should be considered more useful than harmful. The paper concludes with possible countermeasures.Comment: accepted at WPES 201

Criteria and Analysis for Human-Centered Browser Fingerprinting Countermeasures

Browser fingerprinting is a surveillance technique that uses browser and device attributes to track visitors across the web. Defeating fingerprinting requires blocking attribute information or spoofing attributes, which can result in loss of functionality. To address the challenge of escaping surveillance while obtaining functionality, we identify six design criteria for an ideal spoofing system. We present three fingerprint generation algorithms as well as a baseline algorithm that simply samples a dataset of fingerprints. For each algorithm, we identify trade-offs among the criteria: distinguishability from a non-spoofed fingerprint, uniqueness, size of the anonymity set, efficient generation, loss of web functionality, and whether or not the algorithm protects the confidentiality of the underlying dataset. We report on a series of experiments illustrating that the use of our partially-dependent algorithm for spoofing fingerprints will avoid detection by Machine Learning approaches to surveillance

Fingerprinting Mobile Browsers

Nowadays, billions of people access the Internet on mobile phones and a significant portion of the traffic comes from browsers. Mobile browsers could be used as a gateway to access the underlying resources of mobile devices for fingerprinting purposes. Browsers include APIs to access the underlying hardware and software resources, such as sensors, audio and media devices, battery, and so on. The growing number of APIs have created new opportunities for browser fingerprinting mechanisms. However, the widely used browser fingerprint systems are designed for the desktop environment and the identifying information gathered using these systems do not include the unique features of mobile phones such as device sensors. The goal of this thesis is to explore additional fingerprintable metrics in the mobile context and analyze their contribution in fingerprinting browsers. In this thesis, we investigated time evolution of browser's features fingerprints and fingerprinting in the wild in the context of mobile devices. In time evolution of feature's fingerprinting, we have examined the change in permission requirements of browsers over time and evolution of browser's features fingerprints for both Google Chrome and Firefox. In our experiment, we have seen that permission requirements have increased over time, e.g. Firefox 4.0 requires only four permissions, while Firefox 55.0 requires 24 permissions. In evolution of browser's features, we have seen fingerprints that are related to media, audio, WebGL, and canvas elements of the browser show a frequent change across versions. In addition, we have seen, for both Chrome and Firefox, the user agent string is unique for each version and media devices for Chrome is unique for each version as well in our dataset. In fingerprinting in the wild, we have collected fingerprints from 134 browsing sessions of which 96 were unique. From the gathered dataset, we have calculated the identifying information, entropy, contribution of each browser's feature in our test. The result shows that IP address, user agent, and media devices are the highest entropy contributors. In addition, we have observed that the maximum possible entropy gain in our dataset, 6.58 bits, can be obtained by joining only media devices and user agent strings. To sum up, in our experiment, we have acquired additional fingerprintable metrics form modern APIs, such as sensors, audio and media devices, and battery. In time evolution of browser feature's fingerprint experiments, we have seen that modern API feature's fingerprints show frequent change across versions. Similarly, in fingerprinting in the wild experiments, these APIs are among the highest entropy contributors

Mitigation of JavaScript-Based Fingerprinting Attacks Reliant on Client Data Generation

While fraud detection companies use fingerprinting methods as a secondary form of identification, attackers can exploit these fingerprinting methods due to the revealing nature of the software and hardware information collected. Attackers can use this sensitive information to target users with known vulnerabilities, monitor a user’s activity, and even reveal their identity without their knowledge or consent. Unfortunately, average users have limited options to opt out of or block fingerprinting attacks. In this thesis, we propose a solution that enforces dynamic policies on web pages to prevent potential malicious device fingerprinting methods. We employed the Inline Reference Monitor (IRM) approach to supervising JavaScript operations on web pages, including method calls, object creation and access, and property access. When executed, the IRM will intercept these operations, providing runtime policy enforcement to mitigate JavaScript-based dynamic fingerprinting methods that generate unique data at runtime instead of collecting static attributes. In particular, our policy enforces a randomization method rather than normalization or domain- based blocking to constantly change a given device’s fingerprint overtime, making it increasingly difficult for malicious actors to track a device across the web. Our approach can protect user privacy while limiting major site breakage, a common issue with current anti-fingerprinting technologies. We have performed intensive experiments to demonstrate the effectiveness of our approach. In particular, we replicated and revised an existing fingerprinting attack that collects network link- state information to construct unique fingerprints. We deployed this fingerprinting attack on the cloud and collected data from web users nationwide, which are used by a machine learning model to reveal users’ locations with high accuracy. We have implemented our mitigation method by extending a browser extension prototype. The prototype demonstrated that our proposed method could effectively prevent data collection from the fingerprinting attack

Fingerprinting Smart Devices Through Embedded Acoustic Components

The widespread use of smart devices gives rise to both security and privacy concerns. Fingerprinting smart devices can assist in authenticating physical devices, but it can also jeopardize privacy by allowing remote identification without user awareness. We propose a novel fingerprinting approach that uses the microphones and speakers of smart phones to uniquely identify an individual device. During fabrication, subtle imperfections arise in device microphones and speakers which induce anomalies in produced and received sounds. We exploit this observation to fingerprint smart devices through playback and recording of audio samples. We use audio-metric tools to analyze and explore different acoustic features and analyze their ability to successfully fingerprint smart devices. Our experiments show that it is even possible to fingerprint devices that have the same vendor and model; we were able to accurately distinguish over 93% of all recorded audio clips from 15 different units of the same model. Our study identifies the prominent acoustic features capable of fingerprinting devices with high success rate and examines the effect of background noise and other variables on fingerprinting accuracy