Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com)

Posted by BeauHD on from the no-one-is-safe dept.

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.

33 of 88 comments (clear)

  1. The DOM model strikes again by Anonymous Coward · · Score: 2, Insightful

    Someone tell me why a browser needs to tell this stuff to the Internet?

    1. Re:The DOM model strikes again by Tablizer · · Score: 1

      DOM = DUM

      --
      Table-ized A.I.
  2. Price of you vacation by Bender+Unit+22 · · Score: 1

    So it will be easier for the travel industry to keep track of you and keep the prices up for the places you have been looking at information for, even when you try to use different browsers, ip adresses etc?

    1. Re:Price of you vacation by voxel · · Score: 1

      Technically yes. You could even browse with Internet Explorer as usual, then connect a VPN and switch to Icognito mode in Google Chrome and they still know who you are.

      --
      Modesty is one of life's greatest attributes
  3. VirtualBox by Anonymous Coward · · Score: 1

    I guess now we need a bunch of VMs with different distros on them or something. This is really getting tiring.

    Btw, I bet javascript was used to pull all these variables somehow.

    1. Re:VirtualBox by mlts · · Score: 1

      I've been browsing in a VM for a while. This not just limits browser fingerprinting, but also what damage malicious software can do.

    2. Re:VirtualBox by techno-vampire · · Score: 4, Informative

      Using multiple VMs with different distros won't help a bit here, because when you come right down to it, they're all using the same hardware, and that's what this is exploiting. Now, if you had multiple graphics cards and let different distros use different cards, that might throw them off.

      --
      Good, inexpensive web hosting
    3. Re:VirtualBox by lkroll4565 · · Score: 1

      Yup. Viva la Virtualbox. :)

  4. Re:What sites?? by sexconker · · Score: 1

    What benefit does using a HOSTS file have over using a plugin to block JS/tracking shit/ads/etc?
    Is the HOSTS file more dependable? Is the HOSTS file faster?

  5. Re:Advice - How to avoid? by The-Ixian · · Score: 1

    Unplug your computer from the Internet...

    I really think that is the only way.

    But then you still have all the public surveillance, credit cards, wifi, cell towers and who knows what else tracking you.... so.... good luck.

    --
    My eyes reflect the stars and a smile lights up my face.
  6. Time for counter-measures by davidwr · · Score: 5, Insightful

    Browsers should present a "generic" capabilities list to web sites unless the user white-lists that site to receive some or all of the "real" capabilities. An online video-gaming site may need to know if I can play a GPU-intensive online game through the web browser, but very few other sites need to know.

    For example, "generic capabilities" would be:

    Screen size would be "small" for tablets, phones, and small notebooks, or "normal" for everything else. Pixel density would not be disclosed.
    "List of fonts" would be the most common "web fonts" in the main language of the operating system.
    As for the rest, they would be shown as "not disclosed."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Time for counter-measures by hcs_$reboot · · Score: 1

      Screen size would be "small" for tablets, phones, and small notebooks, or "normal" for everything else.

      Important information for the web site and CSS is the viewport size, i.e. the size of the browser window usable by the site scripts. The screen size itself should not be disclosed.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:Time for counter-measures by tepples · · Score: 1

      Given the "all maximized all the time" window management policy of popular web browsing environments, the viewport size is a very good predictor of screen size. In fact, exact viewport size might even help with fingerprinting because different system fonts may cause the the notification bar to be larger or smaller.

  7. Re:What sites?? by 0100010001010011 · · Score: 3, Funny

    Someone that has advanced personal knowledge of this should definitely chime in about the glories of the HOSTS file over all other options.

  8. Why isn't Mozilla doing more?! by Anonymous Coward · · Score: 3, Insightful

    What I always wonder is why Mozilla isn't doing more to protect user privacy. This is one thing that could really differentiate them from Chrome and other browsers.

    I always hear from Mozilla supporters that Firefox is already "the best" when it comes to this. But the summary claims that Firefox is affected by these methods.

    Then there are problems like how Firefox includes "telemetry" support that can be disabled, but it can't be easily removed completely. This should be opt-in, in the sense of the functionality not even being present unless you download a special non-default build that includes it. Yeah, that means Mozilla likely won't get as much user data to mine. That's the whole point, though: the browser shouldn't unnecessarily share data with anyone, including Mozilla. It's not like whatever data they've been collecting so far has done them any good; Firefox's share of the market is continually dropping as users get more and more disappointed with its awful user experience. All of the smart Firefox users (the ones being driven away) likely already disabled "telemetry", so they're probably already basing their decisions on incomplete data from the dumbest Firefox users.

    It also doesn't help that they're so eager to include all of this unnecessary Web 2.0 and HTML5 functionality that lets websites track your location, or use your microphone, or other nonsense like that. This is the kind of crap that has one purpose only: providing personal data to advertisers. Any other use case is better handled by non-browser applications.

    User privacy is one area where Firefox could really shine. It's perhaps the one thing that could really draw users back from Chrome, Edge, Safari, and the other browsers they've moved to after Firefox's user experience went to hell. Yet what the Firefox devs have done in this direction so far has been uninspiring.

    1. Re:Why isn't Mozilla doing more?! by buswolley · · Score: 1

      Its a good point. Make them earn the white hat mug. https://society6.com/product/w...

      --

      A Good Troll is better than a Bad Human.

    2. Re: Why isn't Mozilla doing more?! by TheOuterLinux · · Score: 2

      I think Fitefox doesn't feel the need to do more to prevent tracking because of Tor Browser project already exists. Plus, placing blockers inside their software by default slows them down just enough to affect the Firefox vs. Chrome speed war each year. And, they may use that data themselves for the Browser Health Report that's turned on by default. If anyone is interested in browser privacy, I have a few links on my website: http://theouterlinux.com/priva... There's other cool stuff there too.

    3. Re:Why isn't Mozilla doing more?! by Anonymous Coward · · Score: 1

      I think we're going to see a redux of "flash exploits" via webGL/HTML5

      This is what browser vendors should be doing:
      1) Initializing WebGL in "sandbox" mode (eg reports that WebGL functionality exists, but does not allow WebGL content until clicked first, basically whatever script first queries WebGL is paused until the user initiates it.) This would also save enormous battery life. "This site would like to run WebGL content (animations or games)", which then white lists the site.
      2) Same with Video cameras, Microphones and Location data. If you don't explicitly whitelist the site, it is "present" but paused, so no content is returned.
      3) Web browsers should have a mandatory blacklist (eg equal to setting 127.0.01 in hosts files) and whitelist (always allow content from this IP address or DNS name) so that annoying behavior, be it ads, hijacked wordpress sites, malware downloaders, and so forth, that is checked before doing a DNS query. While this may allow people to blacklist all ads, they would have to do it one at a time. A related feature would be "greylist thirdparty urls from this site" which would log all network requests from outside the domain so they can be manually blacklisted or whitelisted.

      I'm not a strong advocate for blacklisting, but I find there is one section of the internet (the one populated by 4chan and reddit) where a blacklisting of all third-party URL's is required because of the amount of cheeky bullshit links.

    4. Re:Why isn't Mozilla doing more?! by TheRaven64 · · Score: 1

      I'm wondering why Edge isn't. Not only would more privacy features be a good differentiator, anything that makes ads less effective would harm Google, which seems like it would be in Microsoft's best interests.

      --
      I am TheRaven on Soylent News
    5. Re:Why isn't Mozilla doing more?! by chefmonkey · · Score: 1

      Mozilla is; there's just not much marketing around it.

      To be clear, the level of de-featuring you're asking for makes for pretty good privacy, but a shitty modern browser. However, Mozilla is strongly committed to the prospect that the trade-off between features and privacy should remain in users' hands, which is why we work very closely with the Tor project to produce a browser that does exactly what you're proposing. The reason Firefox doesn't do this out of the box is that a browser that has been de-featured in this way does not come close to fitting the average user's needs. But you have choices, and Mozilla is committed to supporting Tor Browser to give people like you exactly what you're asking for.

      In case you missed it, Mozilla recently started taking Tor's modifications in as part of core Firefox code, both to make thing easier for the team that maintains Tor Browser, and to allow users to turn certain Tor-provided privacy-focused features on in base Firefox.

    6. Re: Why isn't Mozilla doing more?! by chefmonkey · · Score: 1

      What's interesting about a lot of these fingerprinting metrics is that they aren't the result of just asking something like "navigator.getCoreCount()" -- these are sophisticated techniques that run very carefully crafted bits of code, and then measure the time certain operations take in order to deduce the number of effective cores. There's really no way to "lie" other than to intentionally be slow.

  9. Re:Advice - How to avoid? by AHuxley · · Score: 1

    Some kind of VM with one browser in it and a good VPN on a router?

    --
    Domestic spying is now "Benign Information Gathering"
  10. You're far too generous by bsdasym · · Score: 4, Informative

    The game site does not need to know what your capabilities are. If you try to run it, and it doesn't work, you don't try again. It doesn't need to know *any* of the fonts or even font-families you have installed, it just needs to do what the web has always done; Present a list of fonts the site designer would like the browser to use, if they are available and the user allows it. No site needs to know even the simple small/med/large screen size, as that can all be (and usually is) handled entirely within the browser via CSS.

    Give them even less info than you propose and it'll still be too much, generally speaking.

    1. Re: You're far too generous by tepples · · Score: 1

      Then the browser could lie to sites that want to use WebGL, telling them "My device's GPU is no more powerful than that of the original PlayStation from 1995" until the user has opted into full-featured WebGL for that domain.

  11. Not interesting by Kergan · · Score: 1

    Wake me up when we're able to fingerprint the same user across different devices. *That* will be freaky - and, admittedly, will interest me as a marketer.

    1. Re:Not interesting by Anonymous Coward · · Score: 1

      >as a marketer.

      Well there's yer problem. As a marketer you have limited capacity to understand humans.

  12. Re:What sites?? by 0100010001010011 · · Score: 1

    Which is why I have a whole house DNS server that redirects to a catchall Nginx server that returns a 204.

  13. Re:What sites?? by sexconker · · Score: 1

    woosh

  14. Javascript by floodo1 · · Score: 1

    The VAST majority of fingerprinting and most of the useful stuff relies on whoever is doing the fingerprinting running their javascript in your browser (client). Using something like NoScript to block javascript by default and limiting what you allow is quite effective at fighting fingerprinting.

    Definitely not a magic bullet but it's super helpful for this and lots of other web annoyances.
    Plus, you get to learn just how much useless javascript most sites want you to run (3rd party that has no impact on functionality)

    --
    I KUT J00 M4NG!!!
  15. Protect your firefox by allo · · Score: 1

    Have a look at ffprofile.com to generate a secured profile. Look at the github page to extend the site for more un-features.

  16. Re:What sites?? by allo · · Score: 1

    nope, you should not.

    0.0.0.0 means "use a random* ip of the system".
    Your should either use 127.0.0.1 (and make sure NOT to run a webserver on your host) or some unroutable ip.

    * depending on the order of network interfaces.

  17. Multi-PC means affluent ergo more valuable by tepples · · Score: 1

    You can have multiple individuals using the same PC.

    I'm aware that multihead is possible with multiple graphics cards on an X11/Linux box.. But I thought home versions of Windows, the most popular operating system for desktop and laptop computers in the industrialized English-speaking world and therefore probably the most interesting to the marketing industry, were locked down to support only one desktop session at once.

    Or perhaps you meant one at a time. Previous comments such as this one seem to indicate that multi-PC households are more common than family members taking turns on separate user accounts on the same PC. Furthermore, multi-PC households are more attractive to the marketing industry because they are more likely to be affluent enough to buy what the marketers are pushing.

  18. Re:WRONG (w/ proof)... apk by allo · · Score: 1

    Nope. Just open two terminals:

    $ nc -vlp 2000 #first terminal
    $ nc 0.0.0.0 2000 # second terminal

    listening on [any] 2000 ...
    connect to [127.0.0.1] from localhost [127.0.0.1] 47888