Everything You Always Wanted to Know About Fingerprinting Browser Extensions, But Were Afraid to Ask

Browser extensions can be fingerprinted and tracked through web accessible resources and visible side effects.

• Browser extensions can be easily fingerprinted through static extraction or behavioral fingerprinting.
• Developers can stop static extraction by referencing images and CSS from websites or CDNs.
• Behavioral fingerprinting is more difficult to get rid of because it requires extra UI buttons and ad blockers.
• The middle way combines the best of both worlds by using CSS-based extension fingerprinting.
• Web accessible resources can be used to unmask browser extensions.
• Visible side effects of extensions can be used to fingerprint and track them.
• A system can automatically compare a page with and without an extension to detect changes that could be used to fingerprint.

The Dr. Web Link Checker extension adds a shield to links on websites that are malicious. The extension injects a div element and styles it with CSS. However, if a page has a div with the same class as the injected element, it will inherit the styles from the extension's CSS, making it difficult to differentiate between what the extension did and what the page did. This can be used as a building block for an attack to unmask the extension.

Abstract:​More and more users are finding out about browser fingerprinting and how trackers can use it to supplement or altogether replace cookie-based tracking. In this talk, we will explore the landscape of a specific kind of browser fingerprinting, namely browser-extension fingerprinting. Since users explicitly choose which extensions to install, the discovery of a user's extensions can reveal sensitive socioeconomic properties about that user, such as, their level of income, their political leanings, their technical expertise, and even their religion. Moreover, since different users install different sets of browser extensions, the set of extension of a given user can be straightforwardly turned into that user's fingerprint. We will go over the different techniques that are available for fingerprinting browser extensions (including web-accessible resources, DOM modifications, stylesheet hijacking) and what modern browsers are doing in order to protect their users against fingerprinting.​​​