University researchers in the United States described a fingerprint collecting and browser spoofing vulnerability they dubbed Gummy Browsers. They warn about how simple it is to carry out the cyberattack and the severe consequences it may have.
A digital fingerprint is a one-of-a-kind online identifier linked to a particular person based on a device’s features. The IP address, browser, OS version of a user, installed apps, active add-ons, cookies, and even how the user moves their mouse or enters on the keyboard are all examples of these characteristics.
Websites and marketers may use these fingerprints to verify that a visitor is human, follow a person across many sites, and serve targeted advertising.
Digital fingerprints are now sold on dark web markets. That’s why fraudsters and threat actors fake users’ identities across the web to make account takeovers simpler or for ad fraud.
The ‘Gummy Browsers’ hack involves collecting a person’s fingerprint by forcing them to visit a hacker-controlled website, then leveraging the collected fingerprint to fake that person’s identity on a target platform.
The researchers devised the following approach to impersonate the user on other sites after obtaining a fingerprint of the user with the help of existing or new scripts:
- Script Injection: Faking the victim’s fingerprint by launching scripts (with Selenium) that provide values retrieved by JavaScript API requests.
- Browser Setting and Debugging Tool: Both may be used to alter the browser attributes to any custom value, which affects the JavaScript API and the associated HTTP header value.
- Script Modification: Modifying the webpage’s scripts before they are delivered to the webserver to change the browser properties with faked values.
The researchers claimed they could deceive state-of-the-art fingerprinting technologies like FPStalker and Panopliclick for lengthy durations by just collecting the victim’s fingerprint once.
In an Arxiv paper, the researchers explained that Gummy Browsers might effectively mimic the victim’s browser almost all the time without impacting genuine user monitoring.
Gummy Browsers may be readily started while staying undetectable since obtaining and spoofing browser attributes is invisible to both the user and the remote web server. According to researchers, threat actors may simply employ the Gummy Bear attack to fool systems that use fingerprinting.
The attack can impersonate a user for a script to seem like a human rather than a bot and be given tailored advertisements to commit ad fraud.
The Gummy Bear attack may also be used to get around security measures in authentication services that recognize real users. Oracle, Inauth, and SecureAuth IdP are some of the authentication systems that use fingerprinting.
Many banks and retail sites employ fingerprinting as part of their fraud detection systems, which may be circumvented by impersonating a genuine user. The findings raise concern whether browser fingerprinting is safe to use on a broad scale.