A group of researchers from Texas A&M University and the University of Florida developed an attack system that can be abused to collect users’ browser fingerprinting information to impersonate fingerprint-based authentication.
An attacker could potentially collect a user’s browser fingerprinting information in order to spoof victims without their knowledge.
“The idea is that the attacker 𝐴 first makes the user 𝑈 connect to his website (or to a well-known site the attacker controls) and transparently collects the information from 𝑈 that is used for fingerprinting purposes (just like any fingerprinting website 𝑊 collects this information),” the researchers explained. “Then, 𝐴 orchestrates a browser on his own machine to replicate and transmit the same fingerprinting information when connecting to 𝑊, fooling 𝑊 to think that 𝑈 is the one requesting the service rather than 𝐴.”
Browser fingerprinting (aka machine fingerprinting) is a user tracking technique that uses a variety of attributes to identify users of a remote computer system by attributes of their software and hardware. These include the browser’s settings, language preference, and screen resolution.
If the website only displays targeted ads based on the browser fingerprints of the users, it could expose them to exploitation by a remote adversary. An attacker can take advantage of the fact that their browser is treated as the victim’s browser, which allows them to collect sensitive information about the victim (gender, age group, health condition, interests, salary, etc.) and build a profile.
The researchers discovered that the majority of the spoofed fingerprints they used were misidentified as legitimate ones, successfully tricking the fingerprinting algorithms. This method allows them to circumvent digital fingerprinting algorithms, get around defensive mechanisms, and breach ad privacy.
“The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser fingerprinting is starting to get widely adopted in the real world,” the researchers concluded. “In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale.”