to extend or not to extend: on the uniqueness of browser ... · the most unique combinations of...

To Extend or not to Extend on the Uniqueness of BrowserExtensions and Web Logins

Gaacutebor Gyoumlrgy GulyaacutesINRIA

gaborgulyasinriafr

Doliegravere Francis SomeacuteINRIA

dolieresomeinriafr

Nataliia BielovaINRIA

nataliiabielovainriafr

Claude CastellucciaINRIA

claudecastellucciainriafr

ABSTRACTRecent works showed that websites can detect browser extensionsthat users install and websites they are logged into This poses sig-nificant privacy risks since extensions and Web logins that reflectuserrsquos behavior can be used to uniquely identify users on the WebThis paper reports on the first large-scale behavioral uniquenessstudy based on 16393 users who visited our website We test anddetect the presence of 16743 Chrome extensions covering 28of all free Chrome extensions We also detect whether the user isconnected to 60 different websitesWe analyze how unique users are based on their behavior and findout that 5486 of users that have installed at least one detectableextension are unique 1953 of users are unique among those whohave logged into one or more detectable websites and 8923 areunique among users with at least one extension and one loginWe use an advanced fingerprinting algorithm and show that it ispossible to identify a user in less than 625 milliseconds by selectingthe most unique combinations of extensionsBecause privacy extensions contribute to the uniqueness of userswe study the trade-off between the amount of trackers blocked bysuch extensions and how unique the users of these extensions areWe have found that privacy extensions should be considered moreuseful than harmful The paper concludes with possible counter-measures

CCS CONCEPTSbull Security and privacy rarr Pseudonymity anonymity and untrace-ability Browser securityWeb protocol security

KEYWORDSweb tracking uniqueness anonymity fingerprinting

ACM Reference FormatGaacutebor Gyoumlrgy Gulyaacutes Doliegravere Francis Someacute Nataliia Bielova and ClaudeCastelluccia 2018 To Extend or not to Extend on the Uniqueness of BrowserExtensions and Web Logins In 2018 Workshop on Privacy in the ElectronicSociety (WPESrsquo18) October 15 2018 Toronto ON Canada ACM New YorkNY USA 14 pages httpsdoiorg10114532673233268959

ACMacknowledges that this contributionwas authored or co-authored by an employeecontractor or affiliate of a national government As such the Government retains anonexclusive royalty-free right to publish or reproduce this article or to allow othersto do so for Government purposes onlyWPESrsquo18 October 15 2018 Toronto ON Canadacopy 2018 Association for Computing MachineryACM ISBN 978-1-4503-5989-41810 $1500httpsdoiorg10114532673233268959

1 INTRODUCTIONIn the last decades researchers have been actively studying usersrsquouniqueness in various fields in particular biometrics and privacycommunities hand-in-hand analyze various characteristics of peo-ple their behavior and the systems they are using Related researchshowed that a person can be characterized based on her typingbehavior [53 61] mouse dynamics [52] and interaction with web-sites [33] Furthermore Internet and mobile devices provide richenvironment where usersrsquo habits and preferences can be automat-ically detected Prior works showed that users can be uniquelyidentified based on websites they visit [50] smartphone apps theyinstall [23] and mobile traces they leave behind them [29]

Since the web browser is the tool people use to navigate throughthe Web privacy research community has studied various formsof browser fingerprinting [22 27 30 32 34 49] Researchers haveshown that a userrsquos browser has a number of ldquophysicalrdquo charac-teristics that can be used to uniquely identify her browser andhence to track it across the Web Fingerprinting of usersrsquo devices issimilar to physical biometric traits of people where only physicalcharacteristics are studied

Similar to previous demonstrations of user uniqueness based ontheir behavior [23 50] behavioral characteristics such as browsersettings and the way people use their browsers can also help touniquely identify Web users For example a user installs webbrowser extensions she prefers such as AdBlock [1] LastPass [14]or Ghostery [8] to enrich her Web experience Also while brows-ing the Web she logs into her favorite social networks such asGmail [13] Facebook [7] or LinkedIn [15] In this work we studyusersrsquo uniqueness based on their behavior and preferences on theWeb we analyze how unique are Web users based on their browserextensions and logins

In recent works Sjoumlsten et al [56] and Starov andNikiforakis [58]explored two complementary techniques to detect extensions Saacutenchez-Rola et al [54] then discovered how to detect any extension via atiming side channel attack These works were focused on the tech-nical mechanisms to detect extensions but what was not studiedis how browser extensions contribute to uniqueness of users at largescale Linus [46] showed that some social websites are vulnerableto the ldquologin-leakrdquo attack that allows an arbitrary script to detectwhether a user is logged into a vulnerable website However itwas not studied whether Web logins can also contribute to usersrsquouniqueness

In this work we performed the first large-scale study of useruniqueness based on browser extensions and Web logins collected

from more than 16000 users who visited our website (see the break-down in Fig 6) Our experimental website identifies installed GoogleChrome [9] extensions via Web Accessible Resources [56] and de-tects websites where the user is logged into by methods that relyon URL redirection and CSP violation reports Our website is ableto detect the presence of 13k Chrome extensions on average permonth (the number of detected extensions varied monthly between12 164 and 13 931) covering approximately 28 of all free Chromeextensions1 We also detect whether the user is connected to oneor more of 60 different websites Our main contributions are

bull A large scale study on how unique users are based on theirbrowser extensions and website logins We discovered that5486 of users that have installed at least one detectableextension are unique 1953 of users are unique among thosewho have logged into one or more detectable websites and8923 are unique among users with at least one extensionand one login Moreover we discover that 2298 of userscould be uniquely identified by Web logins even if theydisable JavaScript

bull We study the privacy dilemma on Adblock and privacy ex-tensions that is how well these extensions protect their usersagainst trackers and how they also contribute to uniquenessWe evaluate the statement ldquothe more privacy extensions youinstall the more unique you arerdquo by analyzing how usersrsquouniqueness increases with the number of privacy extensionsthey install and by evaluating the tradeoff between the pri-vacy gain of the blocking extensions such as Ghostery [8]and Privacy Badger [17]

We furthermore show that browser extensions and Web loginscan be exploited to fingerprint and track users by only checkinga limited number of extensions and Web logins We have appliedan advanced fingerprinting algorithm [38] that carefully selectsa limited number of extensions and logins For example Figure 1shows the uniqueness of users we achieve by testing a limitednumber of extensions The last column shows that 5486 of usersare unique based on all 16743 detectable extensions However bytesting 485 carefully chosen extensions we can identify more than5396 of users Besides detecting 485 extensions takes only 625ms

Finally we give suggestions to the end users as well as websiteowners and browser vendors on how to protect the users from thefingerprinting based on extensions and logins

In our study we did not have enough data to make any claimsabout the stability of the browser extensions andweb logins becauseonly few users repeated an experiment on our website (to be preciseonly 66 users out of 16393 users have made more than 4 tests onour website) We leave this as a future work

2 BACKGROUND21 Detection of browser extensionsA browser extension is a program typically written in JavaScriptHTML and CSS An extension may alter the context of the webpageintercept HTTP requests or provide extra functionality Examples

1The list of detected extensions and websites are available on our website httpsextensionsinrialpesfrfaqphp

Figure 1 Results of general fingerprinting algorithm Testing485 carefully selected extensions provides a very similar uniquenessresult to testing all 16743 extensions Almost unique means thatthere are 2ndash5 users with the same fingerprint

of browser extensions are ad blockers such as AdBlock [1] andpassword managers such as LastPass [14]

In the Google Chrome web browser each extension comes witha manifest file [11] which contains metadata about the exten-sion Each extension has a unique and permanent identifier andthe manifest file of an extension with identifier extID is locatedat chrome-extension[extID]manifestjson The manifestfile has a section web_accessible_resources (WARs) that declareswhich resources of an extension are accessible in the content of anywebpage [10] The WARs section specifies a list of paths to suchresources presented by the following type of URLchrome-extension[extID][path] where path is the pathto the resource in the extension

Therefore a script that tries to load such an accessible resourcein the context of an arbitrary webpage is able to check whetheran extension is installed with a 100 guarantee if the resource isloaded an extension is installed otherwise it is not Figure 2 showsan example of AdBlock extension detection the script tries to loadan image which is declared in the web_accessible_resources sectionof AdBlockrsquos manifest file If the image from AdBlock located atchrome-extension[AdBlockID]iconsicons24png is suc-cessfully loaded then AdBlock is installed in the userrsquos browser

Sjoumlsten et al [56] were the first to crawl the Google ChromeWebStore and to discover that 28 of all free Chrome extensions are de-tectable by WARs An alternative method to detect extensions thatwas available at the beginning of our experiment was a behavioralmethod from XHOUND [58] but it had a number of false positivesand detected only 92 of top 10k extensions (see Sec 9 for moredetails) Therefore we decided to reuse the code from Sjoumlsten etal [56] with their permission to crawl Chrome Web Store and iden-tify detectable extensions based on WARs During our experimentwe discovered that WARs could be detected in other Chromium-based browsers like Opera [16] and the Brave Browser [3] (we couldeven detect Brave Browser since it is shipped with several defaultextensions detectable by WARs) We have chosen to work withChrome as it was the most affected

Figure 2 Detection of browser extensions and Web logins A user visits a benign website testcom which embeds third party code (theattackerrsquo script) from attackercom The script detects an icon of Adblock extension and concludes that Adblock is installed Then the scriptdetects that the user is logged into Facebook when it successfully loads Facebook faviconico It also detects that the user is logged intoLinkdedIn through a CSP violation report triggered because of a redirection from httpsfrlinkedincom to httpswwwlinkedincom Allthe detection of extensions and logins are invisible to the user

22 Detection of Web loginsIn general a website cannot detect whether a user is logged intoother websites because of Web browser security mechanisms suchas access control and Same-Origin Policy [18] In this section wepresent two advanced methods that despite browser security mech-anisms allow an attacker to detect the websites where the user islogged into Figure 2 presents all the detection mechanismsRedirectionURLhijackingThe first requirement for thismethodto work is the login redirection mechanism when a user is notlogged into Facebook and tries to access an internal Facebook re-source she automatically gets redirected to the URL httpwwwfacebookcomloginphpnext=[path] where path is the path to theresource The second requirement is that the website should havean internal image available to all the users In the case of Facebookit is a faviconico image

By dynamically embedding an image pointing to httpswwwfacebookcomloginphpnext=https3A2F2Fwwwfacebookcom2Ffaviconico into the webpage an attacker can detect whether theuser is logged into Facebook or not If the image loads then the useris logged into Facebook otherwise she is not This method has beenshown to successfully detect logins on dozens of websites [46]AbusingCSPviolation reportingContent-Security-Policy (CSP) [557] is a security mechanism that allows programmers to controlwhich client-side resources can be loaded and executed by thebrowser CSP (version 2) is an official W3C candidate recommenda-tion [60] and is currently supported by major web browsers

A CSP delivered with a page controls the resources of the pageFor example CSP can set a rule to allow the browser to load imagesonly from a particular domain If a webpage tries to load an image

from a different domain CSP will block such request and can senda violation report back to the web server

An attacker can misuse CSP to detect redirections [41] We ex-tend this idea to detect logins For this method to work a websiteshould redirect its logged in users to a different domain In the caseof LinkedIn the users who are not logged in visit frlinkedincomwhile the users who are logged in are automatically redirected toa different domain wwwlinkedincom The lowest block of Fig 2presents an example of such attack on LinkedIn Initially the at-tacker embeds a hidden iframe from his own domain with the CSPthat restricts loading images only from frlinkedincom Thenthe attacker dynamically embeds a new image on the testing web-site pointing to frlinkedincom If the user is logged in LinkedInwill redirect her to the wwwlinkedincom and thus the browserwill fire a CSP violation report because images can be loaded onlyfrom frlinkedincom By receiving the CSP report the attackerdeduces that the user is logged in LinkedIn

3 DATASETWe launched an experiment website in April 2017 to collect browserextensions and Web logins with the goal of studying usersrsquo unique-ness at a large scale We have advertised our experiment by allpossible means including social media and in press In this sectionwe first present the set of attributes that we collect in our experi-ment and the rules we applied to filter out irrelevant records Thenwe provide data statistics and show which extensions and loginsare popular among our users

31 Experiment website and data collectionThe goal of our website is both to collect browser extensions andWeb logins and to inform users about privacy implications of thisparticular type of fingerprinting Using the various detection tech-niques described in Section 2 we collect the following attributes

bull The list of installed browser extensions using web accessibleresources For each user we tested around 13k extensionsdetectable at the moment of testing (see Figure 3)

bull The list of Web logins we test for 44 logins using redirectionURL hijacking and 16 logins using CSP violation report

bull Standard fingerprinting attributes [45] such as fonts in-stalled Canvas fingerprint [21] and WebGL [48] To col-lect these attributes we use FingerprintJS2 which is anopen-source browser fingerprinting library [39] We col-lected these attributes in order to clean our data and compareentropy with other studies (see Table 3)

To recognize users that perform several tests on our website wehave stored a unique identifier for each user in the HTML5 local-Storage We have communicated our website via forums and socialmedia channels related to science and technology and got presscoverage in 3 newspapers We have collected 22904 experimentsperformed by 19814 users between April and August 2017

Ethical concernsOur studywas validated by an IRB-equivalentservice at our institution All visitors are informed of our goal andare provided with both Privacy Policy and FAQ sections of thewebsite The visitors have to explicitly click on a button to triggerthe collection of their browser attributes In our Privacy Policywe explain what data we are collecting and give a possibility toopt-out of our experiment The data collected is used only for ourown research will be held until December 2019 and will not beshared with anyone

Table 1 Users filtered out of the final dataset

Initial users 19814Mobile browser users 1042Chrome browser users with extension detection error 6Non Chrome users with at least one extension de-tected

261

Brave browser users 31Users whose browser has an empty user-agent stringscreen resolution fonts or canvas fingerprint

2015

Users with more than 4 experiments 66Final dataset 16393Chrome browser users in the final dataset 7643

Data cleaningWe applied a set of cleaning rules over our initialdata to improve the quality of the data The final dataset contains16393 valid experiments (one per user) Table 1 shows the initialnumber of users and which users have been removed from our ini-tial dataset We have removed all 1042 users with mobile browsersAt the time of writing this paper browser extensions were notsupported on Chrome for mobiles Since extensions detection weredesigned for Chrome we then excluded mobile browsers More-over mobile users tend to prefer native apps rather than their web

versions2 In fact the popular logins in our dataset such as GmailFacebook Youtube all have a native mobile version

We have also removed 2015 users that have deliberately tam-pered with their browsers for example users with empty user-agent string empty screen resolution or canvas fingerprint Wethink that it is reasonable not to trust information received fromthose users as they may have tampered with it We also neededthis information to compare our study with previous works onbrowser fingerprinting Finally we have excluded users who havetampered with extension detection This includes Chrome users forwhom extension detection did not successfully complete and usersof other browsers with at least 1 extension detected

For users who visited our website and performed up to 4 ex-periments we kept only one experiment the one with the biggestnumber of extensions and logins We then removed 66 users withmore than 4 experiments We suspect that the goal of such userswith numerous experiments was just to use our website in orderto test the uniqueness of their browsers with different browsersettings

Figure 3 Evolution of detected extensions in Chrome

Evolution of browser extensions From November 2016 toJuly 2017 we crawled on a montly basis the free extensions on theChrome Web Store in order to keep an up-to-date set of extensionsfor our experiment Figure 3 presents the evolution of extensionsthroughout the period of our experiment Since some extensionsgot removed from the Chrome Web Store the number of stableextensions decreased

Out of 12164 extensions that were detectable in November 20168810 extensions (724) remained stable throughout the 9-months-long experiment In total 16743 extensions were detected at somepoint during these 9 months Since every month the number ofdetectable extensions was different on average we have testedaround 13k extensions during each month

32 Data statisticsOur study is the first to analyze uniqueness of users based ontheir browser extensions and logins at large scale Only uniquenessbased on browser extensions was previously measured but on very2httpsjmango360comwikimobile-app-vs-mobile-website-statistics

Table 2 Previous studies onmeasuring uniqueness based onbrowser extensions and our estimation of uniqueness

Study Fingerprintscollectedin a study

Extensionstargetedin a study

Uniquefinger-prints ina study

Unique fin-gerprints inour dataset

Timingleaks [54]

204 2000 5686 5564

XHOUND[58]

854 1656 1410 4960

Ours 7643 13k 3929 3929

small datasets of 204 [54] and 854 [58] participants We measureuniqueness of 16393 users for all attributes and of 7643 Chromebrowser users for browser extensions

Comparison to previous studies To compare our findingswith the previous works on browser extensions we randomly picksubsets of 204 (as in [54]) and 854 (as in [58]) Chrome users 100 times(we found that picking 100 times provided a stable result) Table 2shows uniqueness results from previous works and an estimateduniqueness using our dataset

The last column in Table 2 shows our evaluation of uniquenessfor a given subset of users Our estimation for 204 random users is5564 which is close to the 5686 from the original study [54] For854 random users we estimate that 4960 of them are unique whilein the original XHOUND study [58] the percentage of unique usersis only 141 We think that such small percentage of unique usersin [58] is due to (1) a smaller number of extensions detected (only174 extensions were detected for 854 users) (2) a different user basewhile our experiments and [54] targeted colleagues students andother likely privacy-aware experts XHOUND [58] used AmazonMechanical Turk where users probably have different habits toinstalling extensions Out of 7643 users of the Chrome browserwhere we detected extensions 3929 of users were unique Thisnumber shows a more realistic estimation of usersrsquo uniquenessbased on browser extensions than previous works because of asignificantly larger dataset

To the best of our knowledge our study is the first to analyzeuniqueness of users based on their web logins and on combinationof extensions and logins

Normalized Shannonrsquos entropyWe compare our dataset withthe previous studies on browser fingerprinting AmIUnique [44Table B3] (contains 390410 fingerprints collected between Novem-ber 2014 and June 2017) and Hiding in the Crowd [34] (contains1816776 users collected in 2017) Entropy measures the amount ofidentifying information in a fingerprint ndash the higher the entropy isthe more unique and identifiable a fingerprint will be To comparewith previous datasets which are of different sizes we computenormalized Shannonrsquos entropy

HN (X ) =H (X )

log2 N= minus

1log2 N

middotsumiP(xi ) log2 P(xi ) (1)

whereX is a discrete randomvariablewith possible values x1 xn P(X ) is a probability mass function and N is the size of the dataset

Table 3 Normalized entropy of extensions and logins com-pared to previous studies

Standard fingerprinting studiesAttribute Ours AmIUnique

[44]Hiding [34]Desktop

User Agent 0474 0601 0304List of Plugins 0343 0523 0494Timezone 0168 0187 0005Screen Resolution 0271 0276 0213List of Fonts 0652 0370 0335Canvas 0611 0503 0387

Studies on extensions and loginsAttribute Ours Timing

leaks [54]XHOUND[58]

Extensions 0641 0869 0437Logins 0441 NA NA

Table 3 compares the entropy values of well-known attributesfor standard fingerprinting and for logins for all 16393 users in ourdataset and for browser extensions for 7643 Chrome users All theattributes in standard fingerprinting are similar to previous worksexcept for fonts and plugins Unsurprisingly plugins entropy isvery small because of decreasing support of plugins in Firefox [51]and Chrome [55] Differently from previous studies that detectedfonts with Flash we used JavaScript based font detection relyingon a list of 500 fonts shipped along with the FingerprintJS2 libraryAs those fonts are selected for fingerprinting this could explainwhy our list of fonts provides a very high entropy

In our dataset as well as in previous studies browser extensionsare one of themost discriminating attributes of a userrsquos browser Thecomputed entropy of 0641 computed for the 7643 Chrome userslays between the findings of Timing leaks [54] and XHOUND [58]One possible explanation is the size of the user base For instanceusers in XHOUND had few and probably often the same extensionsdetected (out of 1656 targeted extensions only 174 were detectedfor 854 users) making only 141 of them unique This explainswhy the entropy in XHOUND is smaller Saacutenchez-Rola et al [54]computed a very high entropy but on a very small dataset of 204users 116 of them had a unique set of installed extensions and thusthe computed entropy was very high

33 Usage of extensions and loginsFigure 4 shows the distribution of users in our dataset accordingto the number of detected extensions and logins (users havingbetween 1 and 13 logins or extensions detected) and the number ofunique users as they are grouped by number of detected extensionsand logins The maximum number of extensions we detected for asingle user was 33 The number of users decreases with the numberof extensions The largest group of users have only 1 extensiondetected followed by users with 2 detected extensions etc Wenotice that the more extensions a user has the more unique she isWe analyze this phenomenon further in Section 42 Among userswith exactly 1 extension detected 739 are unique This percentagerises to 4535 and 8589 for groups of users with exactly 2 and 3detected extensions respectively

Figure 4 Usage of browser extensions and logins by all users

Figure 4 also shows the distribution of users per number ofdetected logins We found that most users have between 1 and 10logins with a maximum number of 40 logins detected for one userOn our website we were able to detect the presence of 60 loginswhich is rather small with respect to the large number of extensionswe tested (around 13k per user) This explains why fewer usersare unique based on their logins for example among users withexactly 1 login detected 010 are unique and 782 are uniqueamong users with exactly 2 logins detected

Table 4 Top seven most popular extensions in our datasetand their popularity on Chrome Web Store

Extension Dataset ChromeAdBlock 1557 10000000+LastPass Free Password Manager 1081 7297730Ghostery 735 2665427Privacy Badger 594 771804Adobe Acrobat 585 10000000+Cisco WebEx Extension 482 10000000+Save to Pocket 428 2752642

Table 5 Top seven most popular logins in our dataset andtheir ranking according to Alexa

Website Dataset Alexa RankGmail (subdomain of Google) 6828 1Youtube 6780 2Facebook 5493 3LinkedIn 3913 13Blogger 3393 53Twitter 3274 8eBaycom 2220 33

What extensions are the most popular among our usersTable 4 presents the seven most detected extensions in our datasetof 16393 users The three most popular extensions are AdBlock [1]password manager LastPass [14] and tracker blocker Ghostery [8]These extensions are also very popular according to their downloadsstatistics on Chrome Web Store

What websites users are logging into the most Table 5shows the seven most detected websites in our experiment These

Figure 5 Distribution of anonymity set sizes for 16393 usersbased on detected extensions and logins

websites are also highly rated according to Alexa3 For instanceGoogle [12] Facebook [7] and Youtube [20] are regularly ranked asthe top 3 most popular websites by Alexa4 Being able to detect suchpopular websites further strengthen our study as they representwebsites that are widely used by users in the wild

4 UNIQUENESS ANALYSISIn this section we present the results for userrsquos uniqueness basedon all 16743 extensions and 60 logins We first show uniquenessfor the full dataset of 16393 users and then present more specificresults for various subsets of our dataset

Uniqueness results for the full dataset Figure 5 shows theuniqueness of users according to their extensions and logins and acombination of both attributes Out of the 16393 users 1130 areunique based on their logins For 421 of users in our dataset wedid not detect any logins These users either did not log into anyof the 60 websites we could detect or blocked third party cookiesthat prevented our login detection from working properly

Considering only detected extensions 1838 of users in ourdataset are unique This result is also influenced by the 6661of users who did not have any extension detected these are ei-ther Chrome users with no extensions detected or users of otherbrowsers

An attacker willing to fingerprint users can also use their de-tected logins and extensions combined Interestingly by combiningextensions and logins we found that 3451 of users are uniquelyidentifiable It is worth mentioning that 3261 of users have noextensions and no logins detected This impacts significantly thecomputed uniqueness

Figure 6 Four final datasets DExt contains users who have in-stalled at least one detected extension andDLog contains users whohave at least one login detected

Figure 7 Anonymity sets for different datasets

41 Four final datasetsIn our full dataset of 16393 users we have observed 7643 users ofChrome browser for whom testing of browser extensions workedproperly In this subsection we consider various subsets of our fulldataset that demonstrate uniqueness results for users who have atleast one extension or one login detected Figure 6 shows four finaldatasets that we further analyze in this section

bull DExt contains 5474 Chrome users who have installed atleast one extension that we can detect

bull DLog contains 9492 users who have logged into at least onewebsite that we detect

bull DExt cap DLog contains 3919 Chrome users who have at leastone extension and one login detected

bull DExt cup DLog contains 11047 users who have either at leastone extension or at least one login detected

42 Uniqueness results for final datasetsFigure 7 presents results for the four datasets DExt dataset showsthat 5486 of users are uniquely identifiable among Chrome userswho have at least one detectable extension This demonstratesthat browser extensions detection is a serious privacy threat as afingerprinting technique

Among 9492 users with at least one login detected (DLog dataset)only 1953 are uniquely identifiable This result can be explainedby a very small diversity of attributes (only 60 websites)

Whenwe analyzed Chrome userswho have at least one extensionand one login detected (DExt cap DLog dataset) we found out that8923 of them are uniquely identifiable This means that without3Alexa ranking extracted on the the 28th of June 20184Note that Gmail is a subdomain of Google that is why it is ranked 1 in Table 5

Figure 8 Anonymity sets for users with respect to the num-ber of detected extensions

any other fingerprinting attributes the mere installation of at leastone extension in addition to being logged into at least one websiteimply that the majority of users in this dataset can be tracked bytheir fingerprint based solely on extensions and logins

Furthermore for dataset DExt cupDLog that contains users with atleast one extension or at least one login we compute that 5115 ofusers can be uniquely identified This result becomes particularlyinteresting when we compare the size of the DExt cup DLog datasetwhich contains 11047 users with the size of the DExt dataset thathas 5474 users The size of DExt cup DLog is almost twice as large asDExt Nevertheless the percentage of unique users and the distribu-tion of anonymity set sizes in these datasets are very similar 5486of unique users in DExt and 5115 of unique users in DExt cup DLog We believe this is due to the fact that extensions and logins areorthogonal properties We checked the cosine similarity betweenthese attributes as binary vectors and found that all attribute pairshad a very low similarity score all below 034 with 11 exceptionsbelow 02

The last row DExt(Stable) shows uniqueness of users in the DExtdataset but considering only stable extensions (see more details inSection 3) Interestingly 5035 of users are uniquely identifiablewith their stable extensions only and the distribution of anonymityset sizes is very similar too This result shows that browser exten-sions that were added or removed throughout the 9-months-longexperiment do not influence the result of usersrsquo uniqueness

Themore extensions you install themore unique you areIn the beginning of this section we have shown that 5486 of usersare unique among those who have at least one extension detected(DExt dataset) Figure 8 shows how uniquely identifiable users arewhen they have more extensions detected Among users with atleast two extensions detected 7625 are uniquely identifiable Thispercentage rises quickly to 9222 and 9585 when we considerusers with at least three and four extensions detected respectively

We made a similar analysis for logins likewise the percentageof unique users grows if we consider users with a higher numberof detected logins 3158 users with at least 5 logins are uniquelyidentifiable with their logins only This percentage rises to 3898when we detected at least 8 logins Intuitively the more exten-sions or logins a user has the more unique he becomes It is worthmentioning that the subsets of users considered decreases as weincrease the number of extensions or logins detected as shown inFigure 4

Uniqueness if JavaScript is disabled Users might decide toprotect themselves from fingerprinting by disabling JavaScript in

Figure 9 Anonymity sets when JavaScript is disabled

their browsers However evenwhen JavaScript is disabled detectionof logins via a CSP violation attack still works Among 60 websitesin our experiment we discovered that such an attack works for 18websites Figure 9 shows anonymity sets for 9492 users of DLogdataset assuming users have disabled JavaScript By consideringonly logins detectable with CSP 163 of users are uniquely identi-fiable and 410 are unique based on a user agent string that is sentwith every request by the browser However when we combine theuser agent string with the list of logins detectable with CSP 2298of users become uniquely identifiable

5 FINGERPRINTING ATTACKSAccording to the uniqueness analysis from Section 4 5486 of usersthat have installed at least one detectable extension are unique1953 of users are unique among those who have logged into oneor more detectable websites and 8923 are unique among userswith at least one extension and one login Therefore extensionsand logins can be used to track users across websites In this sectionwe present the threat model discuss and evaluate two algorithmsthat optimize fingerprinting based on extensions and logins

51 Threat modelThe primary attacker is an entity that wishes to uniquely identifya userrsquos browser across websites An attacker is recognizing theuser by his browser fingerprint a unique set of detected browserextensions andWeb logins (we call them attributes) without relyingon cookies or other stateful information A single JavaScript librarythat is embedded on a visited webpage can check what extensionsand Web logins are present in the userrsquos browser By doing so anattacker is able to uniquely identify the user and track her activitiesacross all websites where the attackerrsquos code is present We assumethat an attacker has a dataset of usersrsquo fingerprints either previouslycollected by the attacker or bought from data brokers

52 How to choose optimal attributesThe most straightforward way to track a user via browser finger-printing is to check all the attributes (browser extensions and logins)of her browser However testing all 13k extensions takes around30 seconds5 and thus may be unfeasible in practice Therefore thenumber of tested attributes is one of the most important property offingerprinting attacks ndash the attack is faster when fewer attributesare checked But testing fewer attributes may lead to worse unique-ness results because more users will share the same fingerprint

While it was shown that finding the optimal fingerprint is an NP-hard problem [38] finding approximate solutions is neither a trivialtask For example choosing the most popular attributes worked in

5We evaluate performance in Section 6

the case of tracking based on Web history but this strategy is notnecessarily the globally optimal case

Following the theoretical results of Gulyaacutes et al [38] we con-sider these two strategies (1) to target a specific user and thusto select attributes that makes her unique with high probability ndashcalled targeted fingerprinting algorithm and (2) to uniquely iden-tify a majority of users in a dataset and thus select the same setof attributes for all users ndash we call it general fingerprinting algo-rithm Targeted fingerprinting mainly uses popular attributes ifthey are not detectable (eg popular extensions are not installed)or unpopular ones if they are detectable General fingerprintinginstead considers attributes that are detectable roughly at half ofthe population (this allows to chose more independent attributeswhich makes a fingerprint based on these attributes more unique)

Using the algorithms developed in [38] we performed exper-iments with general and targeted fingerprinting Our goal is toachieve results close to those in Section 4 but by testing a smallernumber of attributes6

53 Targeted fingerprintingAttack outline The attacker aims to identify a specific user withhigh probability In order to do this the attacker needs to haveinformation about the targeted user in her dataset of fingerprintsThe attacker generates a fingerprint pattern that consists of a listof attributes with a known value such as fj = [AdBlock=yes Last-Pass=No ] Notice that a fingerprint pattern contains not onlyextensions that the user installed but also extensions that are notinstalled This information also helps to uniquely identify the user

Let us denote the user database as D of n users andm attributeseach row i corresponding to userUi and each column j correspond-ing to attributeAj Let the algorithm target userUi First we need tofind her most distinguishing attribute Aj shared among the small-est number of other users Let us denote these users as Si j Thenwe need to find a second most distinguishing property Ak whichseparates Ui from Si j Then the algorithm continues searching forthe most distinguishing attributes until the given pattern makesUi unique (or there are no more acceptable choices left)

Evaluation We applied targeted fingerprinting algorithm [38]on our datasets DExt DLoд DExt cap DLoд and DExt cup DLoд andcomputed a fingerprint pattern for each user By using these pat-terns we have computed the anonymity sets for all datasets that areidentical to those shown in Figure 7 We therefore omit repeatingthese results in a new figure

For each unique user the fingerprint pattern contains a smallernumber of attributes than the number of attributes detected forthe user For example it is enough to test only 2 extensions for auser who has installed 4 detectable extensions Figure 10 shows thedistribution of fingerprint pattern sizes of unique users (markedwith ldquotargetedrdquo) and compares them to the number of attributesdetected for each user The figure clearly shows that fingerprintpatterns are typically smaller than the number of detected attributesusers have

For non-unique users the size of the fingerprint pattern is oftenbigger than the number of detected attributes the user has Letus discuss this on our largest dataset DExt cup DLoд but note that

6We reused the implementation of Gulyaacutes et al who shared their code [37]

Figure 10 Comparison of fingerprint pattern size (targeted)and the total number of detected attributes (detected) forunique users

other datasets exhibit the same phenomena For unique users onaverage we have 794 attributes detected while the average size offingerprint pattern is 394 attributes only For non-unique users theaverage number of detected attributes is 541 while the average sizeof fingerprint pattern grew up to 3017 This result is not surprisingwith less information it is more difficult to distinguish users andthe fingerprint pattern may also include negative attributes (ieLastPass=No means an extension should not be detected) whichcan extend the length greatly

The targeted fingerprint is efficient as it provides almost maxi-mal uniqueness while reducing the number of attributes Howeverit cannot be used for new users because the attacker does not haveany background knowledge about them To reach a wider usabilitywith a trade-off in the fingerprint pattern size we also considergeneral fingerprinting [38]

54 General fingerprintingAttack outline The purpose of this algorithm is to provide ashort list of attributes called fingerprint template If the attributesin a fingerprint template are tested for a certain user she will beuniquely identified with high probability Similarly to the exampleof targeted fingerprinting we consider the fingerprint template F =[AdBlock LastPass ] that would yield the fingerprint f Fj =[yesno ] for the userUj

The algorithm first groups all users into a set S Then it looksfor an attribute Ai that will separate S into roughly equally sizedsubsets S1 and S2 if we group users based on their attribute Ai Inthe next round it looks for anotherAj Ai that splits S1 S2 furtherinto roughly equally sized sets This step is repeated until we runout of applicable attributes or the remaining sets could not be slicedfurther

Evaluation To apply general fingerprinting we first measureuniqueness by using all attributes which will be our target levelA Then we run the algorithm until either it stops by itself (eg

fingerprint cannot be extended further) or we terminate it earlywhen the actual level of uniqueness B is less than 1 from level A

Figure 11 shows the anonymity sets for different fingerprintlengths for our datasets DExt DLoд DExt cap DLoд and DExt cup

DLoд generated by the general fingerprinting algorithm For DExtand DLoд the algorithm provided fingerprint templates of 485extensions and 35 logins In these cases the algorithm stopped sinceno more attributes could be used for achieving better uniqueness ndashhence the final anonymity sets are very close to those in Figure 7In the cases of DExt cap DLoд and DExt cup DLoд we observed slowconvergence in uniqueness thus we could stop the algorithm earlier(shown as white dots in Figure 11) As a result for DExt cap DLoд we can obtain 8619 of unique users by testing 270 extensions andlogins For DExt cup DLoд we can obtain 4831 of unique users bytesting 419 extensions and logins

We conclude that the general fingerprint can achieve a significantdecrease in the fingerprint length while maintaining the level ofuniqueness almost at maximum In the next section we discuss theperformance of these results

For DExt dataset general fingerprinting algorithm provides 485extensions but we found out that 20 of these extensions were notstable (see Figure 3) and were not present in the last month of ourexperiment Using all extensions including unstable ones can beuseful to maintain fingerprint comparability with older data or withusers having older versions of extensions However if we constraingeneral fingerprinting to stable extensions only we get a fingerprinttemplate of 465 extensions leading to 5033 uniqueness ndash stillvery close to the results of baseline uniqueness results which was5035 with stable extensions only

6 IMPLEMENTATION AND PERFORMANCEIn this section we discuss the design choices we made for ourexperimental website and analyze whether browser extensions andWeb logins fingerprinting is efficient enough to be used by trackingcompanies

To collect extensions installed in the userrsquos browser we firstneeded to collect the extensionsrsquo signatures from the Chrome WebStore We collected 12497 extensions in August 2017 using thecode shared by Sjoumlsten et al [56] To detect whether an extensionwas installed we tested only one WAR per extension (see moredetails on WARs in Section 2) Because the extensionsrsquo signaturessize was 40Mb and could take a lot of time to load on the client sidewe reorganized and compressed them to 600kb However testingall the 12497 extensions at once took 113ndash125 seconds and wasfreezing the UI of a Chrome browser To avoid freezing we splitall the extensions in batches of 200 extensions and testing all the12497 extensions ran in approximately 30s

Since testing all the extensions takes too long trackers may notbe using this technique in practice Therefore we measured howmuch time it takes to apply the optimized fingerprinting algorithmsfrom Section 5 Targeted fingerprinting addresses each user sepa-rately hence the number of tested extensions differs a lot from userto user General fingerprinting instead provides a generic optimiza-tion for all users Based on our results from Section 5 an attackercan test 485 extensions and obtain the same uniqueness results aswith testing all 12497 extensions Such testing can be run in 625

(a) DExt - 5474 users (b) DLoд - 9492 users (c) DExt cap DLoд - 3919 users (d) DExt cup DLoд - 11047 users

Figure 11 Anonymity sets for different numbers of attributes tested by general fingerprinting algorithm

milliseconds with the signature file size below 25Kb which makereal-life tracking feasible For websites with limited traffic volumesextension detection alone could be used for tracking or for websiteswith a higher traffic load it could contribute supplementary infor-mation for fingerprinting Regarding targeted fingerprinting theattacker can do even better as such short patterns can be detectedin less than 10 milliseconds

Compared to extension detection Web login detection methodsdepend on more external factors (such as network speed and howfast websites respond) thus they should be used with caution Forredirection URL hijacking detection we observed that the majorityof Web logins can be detected in 09ndash20 seconds however thetiming was much harder to measure for the method based on CSPviolation report We observed that if the network was overloadedand requests were delayed then the results of login detection werenot reliable however it is likely that unreliable results can be easilydiscarded by checking timings of results (eg large delays appearingonly in few cases)

Moreover we found a bug in the CSP reporting implementationin the Chrome browser that makes this kind of detection even moredifficult In fact without a system reboot for more than a coupleof days (we observed that this varies between one day to multipleweeks) the browser stopped sending CSP reports We reported theissue to Chrome developers as this bug not only makes CSP-baseddetection unreliable but more importantly CSP itself

7 THE DILEMMA OF PRIVACY EXTENSIONSVarious extensions exist that block advertisement content suchas AdBlock [1] or block content that tracks users such as Discon-nect [6] Such extensions undoubtedly protect usersrsquo privacy but ifthey are easily detectable on an arbitrary webpage then they cancontribute to usersrsquo fingerprint and can be used to track the useracross websites In our experiment based on detecting extensionsvia WARs we could detect four privacy extensions AdBlock [1]Disconnect [6] Ghostery [8] and Privacy Badger [17] The goalof this section is to analyze the tradeoff between the privacy loss(how fingerprintable users with such extensions are) and the levelof protection provided by these extensions

To understand this tradeoff we computed (i) how unique arethe users who install privacy extensions (ii) how many third-partycookies are stored in the userrsquos browser when a privacy extension

Figure 12 Uniqueness of users vs number of unblockedthird-party cookies

is activated (the smaller the number of third-party cookies thebetter the privacy protection) We analyzed four privacy exten-sions detectable by WARs and 16 combinations of these extensionsAdBlock [1] Disconnect [6] Ghostery [8] and Privacy Badger [17]

First we measured how a combination of privacy extensionscontributes to fingerprinting To measure uniqueness of users for acombination of extensions (ie AdBlock+Ghostery) we removedother privacy extensions from the DExt dataset7 (ie Disconnectand Privacy Badger) and then evaluated the percentage of uniqueusers for each combination

Second we measured how many third-party cookies were setin the browser even if privacy extensions were enabled We per-formed an experiment where for each combination of extensionswe crawled the top 1000 Alexa domains visiting homepage and4 additional pages in each domain8 We kept the browsing profilewhile visiting pages in the same domain and used a fresh profilewhen we visited a new domain We explicitly activated Ghosterywhich is deactivated by default and trained Privacy Badger on7The total number of users does not change since we simply remove certain extensionsfrom the userrsquos record in our dataset8We have extracted the first 4 links on the page that refers to the same domain

homepages of 1000 domains before performing our experimentWe collected all the third-party cookies that remained in the userrsquosbrowser for each setting and divided it by the number of domainscrawled

Figure 12 reports on the average number of cookies that re-mained in the browser for each combination of extensions and thecorresponding percentage of unique users

Similarly to the results of Merzdovnik et al [47] Ghostery blocksmost of the third-party cookies and the least blocking extensionis AdBlock Surprisingly some combinations such as Disconnect +Ghostery resulted in more third-party cookies being set than forGhostery alone ndash even after double checking the settings and re-running the measurements we do not have an explanation for thisphenomena However as this can have a serious counter-intuitiveeffect on user privacy it would be important to investigate this infuture work

More privacy extensions indeed increase userrsquos unicity All ofthese privacy extensions are also part of the general fingerprintwe calculated in Section 54 However this has little importancein practice If we ban the general fingerprint algorithm from usingprivacy extensions it will generate a fingerprint template of 531(instead of 485) extensions leading to a uniqueness level of 5127While 46 is a significant increase in the number of extensions forfingerprinting aswe have seen it already this would only contributevery little to the overall timing of the attack

On the other hand as this experiment revealed these exten-sions are also very useful to block trackers We could thereforeconclude that using Ghostery is a good trade-off between blockingtrackers and avoiding extension-based tracking However in or-der to efficiently solve the trade-off dilemma we believe that suchfunctionality should be included by default in all browsers

8 COUNTERMEASURESWe provide recommendations for users who want to be protectedfrom extensions- and logins-based fingerprinting We also provideto developers recommendations to improve browser and extensionsarchitecture in order to reduce the privacy risk for their usersCountermeasures for extension detection Extension detectionmethod based on Web Accessible Resources detects 28 of GoogleChrome extensions while for Firefox the number is much smaller673 of extensions are detectable by WARs [56] Firefox gives agood example of browser architecture that makes extensions detec-tion difficult The upcoming Firefox extensions API WebExtensionswhich is compatible with Chrome extensions API [4] is designed toprevent extensions fingerprinting based on WARs each extensionis assigned a new random identifier for each user who installs theextension [19] To protect the users developers of Chrome exten-sions could avoid Web Accessible Resources by hosting them on anexternal server however this could lead to potential privacy andsecurity problems [56] Developers of the Chrome browser couldnonetheless improve the privacy of their users by adopting therandom identifiers for extensions as in WebExtensions API

Most of the browsers are vulnerable to extension detection andwebsites could also detect extensions by their behavior [58] There-fore today users cannot protect themselves completely but they

still can minimize the risk by using browsers such as Firefox wherea smaller fraction of extensions are detectableCountermeasures for login Users may opt for tracker-blockingand adblocking extensions such as Ghostery [8] Disconnect [6] orAdBlockPlus [2] But these extensions block requests to well-knowntrackers while Web logins detection sends requests to completelylegitimate websites where the user has logged into anyway An-other option is to install extensions that block cookies arrivingfrom unknown or undesirable domains These extensions do notprotect users for the same reason cookies that belong to websitesthat the user visits (and treated as first-party cookies) are the samecookies used for login detection (with the only difference that thesame cookies are treated as third-party cookies) For example so-cial websites such as Facebook or Twitter use first-party cookiesTheir social button widgets with third-party cookies may still beallowed by the browser extensions in the context of other websitesTherefore users can protect themselves from Web logins detectiononly by disabling third-party cookies in their browsers

Website owners could also react to such potential privacy riskfor their users In our case this would simply mean filtering loginURL redirection and sanity checking other redirection mechanismsagainst the CSP-based attack Unfortunately this issue has beenknown for a while but website owners do not patch it because theydo not consider this as a serious privacy risk [46]

Browser vendors could help avoid login detection by blockingthird-party cookies by default The new intelligent tracking protec-tion of the Safari browser takes a step in the right direction as itblocks access to third-party cookies and deletes them after a while

9 RELATEDWORKSince 2006 there have been multiple proposals to detect and enu-merate userrsquos browser extensions [26 28 35 43] Most of themwere blog posts that were meant to raise awareness in the securitycommunity but they did not aim either to scientifically evaluateextension detection at large scale nor to perform user studies thatcould explain how extensions contribute to browser fingerprint-ing Similarly there has been an ongoing discussion on Web logindetection in the security community [24 31 36 41 42 46] but noquantitative studies have been made until this work

Sjoumlsten et al [56] provided the first large scale study on enumer-ating all free browser extensions that were available to Chrome andFirefox While their work lacked the evaluation of user uniquenessor fingerprintability it disclosed the fact that 28 of the Alexa top100k sites already used extensions detection This result made itclear that extension detection is more than a theoretical privacythreat thus deserving further studying

Starov and Nikiforakis [58] were the first to analyze fingerprint-ability of browser extensions and evaluating how unique usersare based on their extensions Differently from our method theydetected extensions based on the changes extensions make to thewebpages They examined top 10000 Chrome extensions and foundthat 92 of them were detectable on any website and 166 madedetectable changes on specific domains with 90 accuracy In con-trast we used Web Accessible Resources [56] to detect extensionsand analyzed all free ChromeWeb Store extensions In our measure-ment period we observed that 27minus28 of all free Chrome extensions

were detectable on any website with 100 accuracy While we didnot measure this in the study of [56] the authors found that 3896of top 10k extensions in the Chrome Web Store are detectable withWARs Saacutenchez-Rola et al [54] detected browser extensions througha timing side-channel attack and were able to detect all extensionsin Firefox and Chrome that use access control settings regardlessof the visited site

Both us and Starov and Nikiforakis analyzed the stability ofthe proposed detection method For a sample of 1000 extensionsStarov and Nikiforakis concluded that 88 of extensions were stilldetectable after 4 months In our study we analyzed 12164 ex-tensions and conclude that 724 of them are detectable in everymonth during 9-months period

To evaluate uniqueness of users based on their browser exten-sions Starov and Nikiforakis have collected installed extensionsfor 854 users In total their users had 174 extensions that werefingerprintable Saacutenchez-Rola et al[54] collected fingerprints fromonly 204 users and tested for 2000 Chrome and Firefox extensionsIn our study we have 7643 Chrome users for whom we tested16743 extensions among them 1110 extensions were installed byour users

Regarding performance Starov and Nikiforakis [58] reportedthat to detect 5 extensions their testing website needed roughly 250ms Saacutenchez-Rola et al[54] are using timing attack which works ina very similar way as detecting WARs When querying a non-exist(fake) WAR of an extension the authors observed a difference inthe time the browser takes to respond to the query depending onwhether the extension is installed in the userrsquos browser or not Thedifference is caused by the access control mechanism of the browserwhen the concerned extension is installed or not in the browserBecause of this timing method Saacutenchez-Rola et al had to make 10calls per extension while in our work we made only one single callper extension We measured that the checking time of non-existingresources and loading existing WARs are very close to each other(around 1 ms) thus we argue that our approach is significantlyfaster

10 DISCUSSION AND FUTUREWORKRealistic datasets To compare our study with previous works onfingerprinting by browser extensions we analyzed different ran-dom subsets of 7643 users who run Chrome web browser (wherebrowser extension detection is possible in our experiment) Fig-ure 13 shows how user uniqueness based on extensions changeswith respect to the various subsets of our dataset It clearly demon-strates an intuition that the smaller the user set is the smaller isthe diversity of users and the easier it is to uniquely identify them

Figure 13 compares our results to previous studies on browserextensions fingerprinting we have 7643 Chrome users while pre-vious studies had 204 [54] and 854 [58] users and therefore drawdifferent conclusions about uniqueness of users based on browserextensions

We reported on the number of unique users in subsets of 204 and854 users in Section 32 (see Table 2) By exploring this comparisonwe raise a fundamental question What is the ldquorightrdquo size for thedataset

Figure 13 Uniqueness of Chrome users based on their exten-sions only vs number of users - 204 is the number of usersused in [54] and 854 the number of users considered in [58]

Taking a look at research on standard fingerprinting in 2010 Eck-ersley showed that 95 of browsers were unique based on their prop-erties [30] which was backed by several papers since then [25 45]However a recent study states that by looking at 2 million finger-prints in 2018 the authors only found 336 of those fingerprintsto be unique [34]

It is extremely difficult for computer scientists to get access tosuch large datasets ndash in our experience we advertised our exper-iment website through all possible channels including TwitterReddit and press coverage We experienced that having larger highquality datasets is a highly nontrivial research task It is importantto re-evaluate our results over time while also aiming to obtainlarger dataset sizes

Stability of fingerprints While studying uniqueness based onvarious behavioural features it is very important to know how sta-ble these features are as the ability to use some of this informationas part of a fingerprint does not solely depend on its anonymity setof overall entropy but also on the information stability (ie howfrequently it changes over time) Vastel et al [59] recently analyzedthe evolution of fingerprints of 1905 browsers over two years Theyconcluded that fingerprintsrsquo evolution strongly depends on the typeof the device (laptop vs mobile) and how it is used Overall theyobserved that 50 of browsers changed their fingerprints in lessthan 5 days

In our study we did not have enough data to make any claimsabout the stability of the browser extensions andweb logins becauseonly few users repeated an experiment on our website (to be preciseonly 66 users out of 16393 users have made more than 4 tests on ourwebsite) We would expect that browser extensions are more stablethan logins since users do not seem to change extensions very oftenwhile they may log in and log out of various websites during theday However studying the stability of extensions and logins wouldrequire all our users to install a tool (probably a browser extension)in their browsers that would monitor the extensions they install andlogins they perform This kind of experiment would be even harderto perform at large scale since users do not easily trust to install new

browser extensions In AmIUnique experiment Laperdrix [44] wastrying to measure stability of browser fingerprints ndash he collecteddata from 3528 devices over a twenty-month-long experiment Wemanaged to have 16393 users testing our website in 9 months Thisshows that users have more trust in testing their browser on awebsite than installing new extensions

We therefore keep the study of fingerprints stability for futurework and raise an important question in privacy measurementcommunity How can we ensure a large scale coverage of users forour privacy measurement experiments

11 CONCLUSIONThis paper reports on a large-scale study of a new form of browserfingerprinting technique based on browser extensions and websitelogins The results show that 1838 of users are unique becauseof the extensions they install (5486 of users that have installedat least one detectable extension are unique) 1130 of users areunique because of the websites they are logged into (1953 areunique among those who have logged into one or more detectablewebsites) and 3451 of users are unique when combining theirdetected extensions and logins (8923 are unique among userswith at least one extension and one login) It also shows that thefingerprinting techniques can be optimized and performed in 625ms

This paper illustrates one more time that user anonymity isvery challenging on the Web Users are unique in many differentways in the real life and on theWeb For example it has been shownthat users are unique in the way they browse the Web the waythey move their mouse or by the applications they install on theirdevice [40] This paper shows that users are also unique in theway they configure and augment their browser and by the sitesthey connect to Unfortunately although uniqueness is valuable insociety because it increases diversity it can be misused by maliciouswebsites to fingerprint users and can therefore hurt privacy

Another important contribution of this paper is the definitionand the study of the trade-off that exists when a user decides toinstall a ldquoprivacyrdquo extension for example an extension that blockstrackers This paper shows that some of these extensions increaseuserrsquos unicity and can therefore contribute to fingerprinting whichis counter-productive We argue that these ldquoprivacyrdquo extensions arevery useful but they should be included by default in all browsersldquoPrivacy by defaultrdquo as advocated by the new EU privacy regulationshould be enforced to improve privacy of all Web users

ACKNOWLEDGMENTFirst of all we would like to thank the valuable comments andsuggestions of the anonymous reviewers of our paper This researchhas been partially supported by the ANR projects AJACS ANR-14-CE28-0008 and CISC ANR- 17-CE25-0014-01 We are grateful forAlexander Sjoumlsten Steven Van Acker Andrei Sabelfeld who sharedtheir code and signature database for Chrome browser extensiondetection [56] and also for Robin Linus who allowed us to buildon his script on social media presence detection We thank ImaneFouad and Natasa Sarafijanovic-Djukic for their help in evaluatingthe effect of browser extensions on third-party cookies

REFERENCES[1] AdBlock Official website httpsgetadblockcom[2] Adblockplus official website httpsadblockplusorg[3] Brave browser httpsbravecom[4] Chrome Extensions API httpsdeveloperchromecomextensions[5] Content security policy (csp)[6] Disconnect Official website httpsdisconnectme[7] Faceboook website httpswwwfacebookcom[8] Ghostery Official website httpswwwghosterycom[9] Google Chrome browser httpswwwgooglecomchrome[10] Google manifest - web accessible resources[11] Google manifest file format[12] Google website httpswwwgooglecom[13] Googlersquos Gmail httpsgmailcom[14] Lastpass official website httpswwwlastpasscombusiness[15] Linkedin website httpswwwlinkedincom[16] Opera browser httpwwwoperacom[17] Privacy Badger - Electronic Frontier Foundation httpswwwefforgfr

privacybadger[18] Same Origin Policy httpswwww3orgSecuritywikiSame_Origin_Policy[19] WebExtensions web_accessible_resources httpsdevelopermozillaorgen-US

Add-onsWebExtensionsmanifestjsonweb_accessible_resources[20] Youtube website httpswwwyoutubecom[21] G Acar C Eubank S Englehardt M Juaacuterez A Narayanan and C Diacuteaz The

web never forgets Persistent tracking mechanisms in the wild In Proceedingsof the 2014 ACM SIGSAC Conference on Computer and Communications SecurityScottsdale AZ USA November 3-7 2014 pages 674ndash689 2014

[22] G Acar M Juaacuterez N Nikiforakis C Diacuteaz S F Guumlrses F Piessens and B PreneelFpdetective dusting the web for fingerprinters In 2013 ACM SIGSAC Conferenceon Computer and Communications Security CCSrsquo13 Berlin Germany November4-8 2013 pages 1129ndash1140 2013

[23] J P Achara G Aacutecs and C Castelluccia On the unicity of smartphone applica-tions CoRR abs150707851 2015

[24] T Anthony Detect if visitors are logged into twitter facebook or google+httpwwwtomanthonycoukblogdetect-visitor-social-networks 2012

[25] K Boda Aacute M Foumlldes G G Gulyaacutes and S Imre User tracking on the web viacross-browser fingerprinting In Information Security Technology for Applications- 16th Nordic Conference on Secure IT Systems NordSec 2011 Tallinn EstoniaOctober 26-28 2011 Revised Selected Papers pages 31ndash46 2011

[26] M Bryant Dirty browser enumeration tricks - using chromeand about to detect firefox and addons httpsthehackerblogcomdirty-browser-enumeration-tricks-using-chrome-and-about-to-detect-firefox-pluginsindexhtml 2014

[27] Y Cao S Li and E Wijmans (cross-)browser fingerprinting via os and hardwarelevel features In 24th Annual Network and Distributed System Security SymposiumNDSS 2017 San Diego California USA 26 February - 1 March 2017 2017 ToAppear

[28] G Cattani The evolution of chrome extensions detection httpblogbeefprojectcom201304the-evolution-of-chrome-extensionshtml 2013

[29] Y-A de Montjoye C A Hidalgo M Verleysen and V D Blondel Unique in thecrowd The privacy bounds of human mobility Scientific Reports 31376 EP ndash2013

[30] P Eckersley How unique is your web browser In Privacy Enhancing Technolo-gies 10th International Symposium PETS 2010 Berlin Germany July 21-23 2010Proceedings pages 1ndash18 2010

[31] A Elsobky Novel techniques for user deanonymization attacks https0xsobkygithubionovel-deanonymization-techniques 2016

[32] S Englehardt and A Narayanan Online tracking A 1-million-site measurementand analysis In Proceedings of the 2016 ACM SIGSAC Conference on Computer andCommunications Security Vienna Austria October 24-28 2016 pages 1388ndash14012016

[33] H Gamboa A L N Fred and A K Jain Webbiometrics User verification viaweb interaction In 2007 Biometrics Symposium pages 1ndash6 2007

[34] A Goacutemez-Boix P Laperdrix and B Baudry Hiding in the Crowd an Analysisof the Effectiveness of Browser Fingerprinting at Large Scale In Web Conference(WWW 2018) Lyon France 2018

[35] J Grossman I know what yoursquove got (firefox extensions) httpblogjeremiahgrossmancom200608i-know-what-youve-got-firefoxhtml 2006

[36] J Grossman Login detection whose problem is it httpblogjeremiahgrossmancom200803login-detection-whose-problem-is-ithtml 2008

[37] G G Gulyaacutes G Acs and C Castelluccia Code repository for paper titledrsquonear-optimal fingerprinting with constraintsrsquo httpsgithubcomgaborgulyasconstrainted_fingerprinting 2016

[38] G G Gulyaacutes G Acs and C Castelluccia Near-optimal fingerprinting withconstraints Proceedings on Privacy Enhancing Technologies 2016(4)470ndash4872016

[39] J Haag Modern and flexible browser fingerprinting library httpsgithubcomValvefingerprintjs2

[40] B Hayes Uniquely me how much information does it take to single out oneperson among billions 102106ndash109 2014

[41] E Homakov Using content-security-policy for evil httphomakovblogspotfr201401using-content-security-policy-for-evilhtml 2014

[42] E Homakov Profilejacking - legal tricks to detect user profile httpssakuritycomblog20150310Profilejackinghtml 2015

[43] K Kotowitz Intro to chrome addons hacking fingerprinting httpblogkotowicznet201202intro-to-chrome-addons-hackinghtml 2012

[44] P Laperdrix Browser Fingerprinting Exploring Device Diversity to AugmentAuthentication and Build Client-Side Countermeasures PhD thesis INSA Rennes2017

[45] P Laperdrix W Rudametkin and B Baudry Beauty and the beast Divertingmodern web browsers to build unique browser fingerprints In IEEE Symposiumon Security and Privacy SP 2016 San Jose CA USAMay 22-26 2016 pages 878ndash8942016

[46] R Linus Your social media fingerprint httpsrobinlinusgithubiosocialmedia-leak 2016

[47] G Merzdovnik M Huber D Buhov N Nikiforakis S Neuner M Schmiedeckerand E Weippl Block me if you can A large-scale study of tracker-blocking toolsIn 2nd IEEE European Symposium on Security and Privacy Paris France 2017 Toappear

[48] K Mowery and H Shacham Pixel perfect Fingerprinting canvas in HTML5 InM Fredrikson editor Proceedings of W2SP 2012 IEEE Computer Society May2012

[49] N Nikiforakis A Kapravelos W Joosen C Kruegel F Piessens and G VignaCookieless monster Exploring the ecosystem of web-based device fingerprintingIn 2013 IEEE Symposium on Security and Privacy SP 2013 Berkeley CA USA May19-22 2013 pages 541ndash555 2013

[50] Ł Olejnik C Castelluccia and A Janc Why johnny canrsquot browse in peaceOn the uniqueness of web browsing history patterns In Hot Topics in PrivacyEnhancing Technologies (HotPETs 2012) 07 2012

[51] I Paul Firefox will stop supporting plugins by end of 2016 follow-ing chromersquos lead httpswwwpcworldcomarticle2990991browsersfirefox-will-stop-supporting-npapi-plugins-by-end-of-2016-following-chromes-leadhtml

[52] M Pusara and C Brodley User re-authentication via mouse movements In ACMWorkshop Visualizat Data Mining Comput Security page 1ndash8 2004

[53] J Roth X Liu and D Metaxas On continuous user authentication via typingbehavior 23(10)4611ndash4624 2014

[54] I Saacutenchez-Rola I Santos and D Balzarotti Extension breakdown Securityanalysis of browsers extension resources control policies In 26th USENIX SecuritySymposium pages 679ndash694 2017

[55] J Schuh Canvas DefendeSaying Goodbye to Our Old FriendNPAPI September 2013 httpsblogchromiumorg201309saying-goodbye-to-our-old-friend-npapihtml

[56] A Sjoumlsten S Van Acker and A Sabelfeld Discovering browser extensions viaweb accessible resources In Proceedings of the Seventh ACM on Conference onData and Application Security and Privacy CODASPY rsquo17 pages 329ndash336 NewYork NY USA 2017 ACM

[57] S Stamm B Sterne and G Markham Reining in the web with content securitypolicy In Proceedings of the 19th International Conference on World Wide WebWWW 2010 Raleigh North Carolina USA April 26-30 2010 pages 921ndash930 2010

[58] O Starov and N Nikiforakis Xhound Quantifying the fingerprintability ofbrowser extensions In Proceedings of the 38th IEEE Symposium on Security andPrivacy pages 941ndash956 2017

[59] A Vastel P Laperdrix W Rudametkin and R Rouvoy FP-STALKER TrackingBrowser Fingerprint Evolutions In 39th IEEE Symposium on Security and Privacy(SampP 2018) 2018

[60] M West A Barth and D Veditz Content Security Policy Level 2 W3C CandidateRecommendation 2015

[61] Y Zhong Y Deng and A K Jain Keystroke dynamics for user authentication In2012 IEEE Computer Society Conference on Computer Vision and Pattern RecognitionWorkshops Providence RI USA June 16-21 2012 pages 117ndash123 2012

Abstract

1 Introduction

2 Background

21 Detection of browser extensions

22 Detection of Web logins

3 Dataset

31 Experiment website and data collection

32 Data statistics

33 Usage of extensions and logins

4 Uniqueness analysis

41 Four final datasets

42 Uniqueness results for final datasets

5 Fingerprinting attacks

51 Threat model

52 How to choose optimal attributes

53 Targeted fingerprinting

54 General fingerprinting

6 Implementation and performance

7 The dilemma of privacy extensions

8 Countermeasures

9 Related work

10 Discussion and future work

11 Conclusion

References

from more than 16000 users who visited our website (see the break-down in Fig 6) Our experimental website identifies installed GoogleChrome [9] extensions via Web Accessible Resources [56] and de-tects websites where the user is logged into by methods that relyon URL redirection and CSP violation reports Our website is ableto detect the presence of 13k Chrome extensions on average permonth (the number of detected extensions varied monthly between12 164 and 13 931) covering approximately 28 of all free Chromeextensions1 We also detect whether the user is connected to oneor more of 60 different websites Our main contributions are

bull A large scale study on how unique users are based on theirbrowser extensions and website logins We discovered that5486 of users that have installed at least one detectableextension are unique 1953 of users are unique among thosewho have logged into one or more detectable websites and8923 are unique among users with at least one extensionand one login Moreover we discover that 2298 of userscould be uniquely identified by Web logins even if theydisable JavaScript

bull We study the privacy dilemma on Adblock and privacy ex-tensions that is how well these extensions protect their usersagainst trackers and how they also contribute to uniquenessWe evaluate the statement ldquothe more privacy extensions youinstall the more unique you arerdquo by analyzing how usersrsquouniqueness increases with the number of privacy extensionsthey install and by evaluating the tradeoff between the pri-vacy gain of the blocking extensions such as Ghostery [8]and Privacy Badger [17]

We furthermore show that browser extensions and Web loginscan be exploited to fingerprint and track users by only checkinga limited number of extensions and Web logins We have appliedan advanced fingerprinting algorithm [38] that carefully selectsa limited number of extensions and logins For example Figure 1shows the uniqueness of users we achieve by testing a limitednumber of extensions The last column shows that 5486 of usersare unique based on all 16743 detectable extensions However bytesting 485 carefully chosen extensions we can identify more than5396 of users Besides detecting 485 extensions takes only 625ms

Finally we give suggestions to the end users as well as websiteowners and browser vendors on how to protect the users from thefingerprinting based on extensions and logins

In our study we did not have enough data to make any claimsabout the stability of the browser extensions andweb logins becauseonly few users repeated an experiment on our website (to be preciseonly 66 users out of 16393 users have made more than 4 tests onour website) We leave this as a future work

2 BACKGROUND21 Detection of browser extensionsA browser extension is a program typically written in JavaScriptHTML and CSS An extension may alter the context of the webpageintercept HTTP requests or provide extra functionality Examples

1The list of detected extensions and websites are available on our website httpsextensionsinrialpesfrfaqphp

Figure 1 Results of general fingerprinting algorithm Testing485 carefully selected extensions provides a very similar uniquenessresult to testing all 16743 extensions Almost unique means thatthere are 2ndash5 users with the same fingerprint

of browser extensions are ad blockers such as AdBlock [1] andpassword managers such as LastPass [14]

In the Google Chrome web browser each extension comes witha manifest file [11] which contains metadata about the exten-sion Each extension has a unique and permanent identifier andthe manifest file of an extension with identifier extID is locatedat chrome-extension[extID]manifestjson The manifestfile has a section web_accessible_resources (WARs) that declareswhich resources of an extension are accessible in the content of anywebpage [10] The WARs section specifies a list of paths to suchresources presented by the following type of URLchrome-extension[extID][path] where path is the pathto the resource in the extension

Therefore a script that tries to load such an accessible resourcein the context of an arbitrary webpage is able to check whetheran extension is installed with a 100 guarantee if the resource isloaded an extension is installed otherwise it is not Figure 2 showsan example of AdBlock extension detection the script tries to loadan image which is declared in the web_accessible_resources sectionof AdBlockrsquos manifest file If the image from AdBlock located atchrome-extension[AdBlockID]iconsicons24png is suc-cessfully loaded then AdBlock is installed in the userrsquos browser

Sjoumlsten et al [56] were the first to crawl the Google ChromeWebStore and to discover that 28 of all free Chrome extensions are de-tectable by WARs An alternative method to detect extensions thatwas available at the beginning of our experiment was a behavioralmethod from XHOUND [58] but it had a number of false positivesand detected only 92 of top 10k extensions (see Sec 9 for moredetails) Therefore we decided to reuse the code from Sjoumlsten etal [56] with their permission to crawl Chrome Web Store and iden-tify detectable extensions based on WARs During our experimentwe discovered that WARs could be detected in other Chromium-based browsers like Opera [16] and the Brave Browser [3] (we couldeven detect Brave Browser since it is shipped with several defaultextensions detectable by WARs) We have chosen to work withChrome as it was the most affected
















261


2015















Timingleaks [54]

204 2000 5686 5564

XHOUND[58]

854 1656 1410 4960

Ours 7643 13k 3929 3929






HN (X ) =H (X )

log2 N= minus

1log2 N
































































































































































Abstract

1 Introduction

2 Background



3 Dataset


32 Data statistics






51 Threat model






8 Countermeasures

9 Related work


11 Conclusion

References
















261


2015















Timingleaks [54]

204 2000 5686 5564

XHOUND[58]

854 1656 1410 4960

Ours 7643 13k 3929 3929






HN (X ) =H (X )

log2 N= minus

1log2 N
































































































































































Abstract

1 Introduction

2 Background



3 Dataset


32 Data statistics






51 Threat model






8 Countermeasures

9 Related work


11 Conclusion

References






Timingleaks [54]

204 2000 5686 5564

XHOUND[58]

854 1656 1410 4960

Ours 7643 13k 3929 3929






HN (X ) =H (X )

log2 N= minus

1log2 N
































































































































































Abstract

1 Introduction

2 Background



3 Dataset


32 Data statistics






51 Threat model






8 Countermeasures

9 Related work


11 Conclusion

References




















































































































































Abstract

1 Introduction

2 Background



3 Dataset


32 Data statistics






51 Threat model






8 Countermeasures

9 Related work


11 Conclusion

References

to extend or not to extend: on the uniqueness of browser ... · the most unique combinations of...

Documents