Quantifying the Fingerprintability of Browser Extensions XHOUND Quantifying the Fingerprintability of Browser Extensions Authors – Oleksii Starov and Nick Nikiforakis Presented By – Jordan Wong
Motivation Browser extensions enhance browsers Users have an average of 5 extensions Are there any costs to these extensions? Extensions allow you to be tracked Naïve countermeasures do not work Private browsing Deleting cookies https://cdn.thinkcodenyc.com/wp-content/uploads/2014/06/browser-extensions.jpg
Background Plugin Extension Types of tracking Deliver non-traditional HTML E.g. FlashPlayer JavaScript to get list of installed plugins Extension Extend browser functionality E.g. AdBlock Must analyze Document Object Model (DOM) Types of tracking Arbitrary domain – Tracking on any webpage Specific domain – Tracking on a specific webpage https://organicthemes.com/wp-content/uploads/2011/11/plugins.png?w=240
Purpose of this paper How many extensions introduce detectable DOM changes? What types of DOM changes are introduced? How many users are fingerprintable based on their extensions? Can a tracking script check what extensions are installed?
XHound A human can analyze the DOM and infer presence of extension But not scalable to ALL the available extensions XHound – Tool to determine DOM changes made by extensions 2 step approach Place hooks on functions of interest Dynamic analysis to stimulate DOM changing code https://pbs.twimg.com/profile_images/756896678289010688/W_ypJvEt.jpg
OnTheFlyDOM OnTheFlyDom library Create queried elements ‘on-the-fly’ Record created elements Return created elements Forces extensions to activate and make DOM changes
Methodology Need to compare DOM ‘before’ and ‘after’ extension Navigate to page with and without extension Webpage DOMs are dynamic Can’t determine cause of DOM changes
Methodology Visit honey pages Contains various elements Text Videos Images … Contains OnTheFlyDOM library ‘Redirect’ URL’s to localhost (780 URLs) http://images.clipartpanda.com/honey-clipart-honey-clipart-1.jpg
Fingerprintability of Extensions (1st RQ) Applied to top 10,000 extensions in Chrome store >9% are fingerprintable on arbitrary domain >16% are fingerprintable on specific domain Applied to top 1,000 extensions in Chrome store >13% are fingerprintable on arbitrary domain >23% are fingerprintable on specific domain
Fingerprintability of Extensions (1st RQ) Most fingerprintable by category Shopping Social media Longitudinal study (4 months) 88% still fingerprintable Same analysis performed on Firefox Same results
Types of DOM Modification (2nd RQ) 4 types of modification Adding a DOM element Deleting a DOM element Change a tag’s attribute Change text on a page
Fingerprintability based on user extensions(3rd RQ) 850 extensions and users were analyzed Users grouped into anonymity sets Each set represents users who have the same extension-based fingerprint The smaller the set, the more trackable the user 14% of users are uniquely identifiable based on their extensions
Can a tracking script determine installed extensions(4th RQ) Tracking script takes less than 5ms to check for an extension Users have an average of 5 extensions More information can be deduced based on user extensions Interests Income levels … https://www.vehicletrackingexperts.co.uk/wp-content/uploads/sites/7/2015/02/detective-tracking.png
Countermeasures Encapsulation Namespace pollution Shadow DOM – ‘Package element’ to separate presentation from content Does not work for all types of changes Namespace pollution Adding random DOM changes to the DOM Gives false positives to tracking scripts Hard to achieve – need to maintain original page functionality http://privacypolicies.com/blog/wp-content/uploads/2015/12/privacy-lock.png
Criticism – Browsers Did not consider effects of different browser versions There are other popular browsers which were not explored Safari Microsoft Edge Internet Explorer http://www.carldyke.com/browsers/image/browsers.png
Criticism – Extension Source Some extensions require setup before they can activate Redux DevTools Responsive WebTester XHound does not configure extensions Extension source Only Chrome store used Third party sources not considered https://www.google.com/chrome/assets/common/images/content/bagofapps.jpg
Criticism - Frameworks Multiple front-end frameworks Angular React Significantly different resulting DOMs May impact the fingerprintability of extensions but not considered http://www.polydron.co.uk/user/products/large/10-F400.jpg
Criticism Provided a convincing argument on the vulnerabilities Opportunity for future work
Thank you Q & A