z0ccc, a security-focused web developer, has designed a web application that demonstrates how other websites track users’ Internet activities using Chrome extensions they have installed.
“Extension Fingerprints” determines which Chrome extensions a user has installed and generates a unique tracking hash for each of them.
“Chrome extensions may be recognized by retrieving their web-accessible resources,” z0ccc stated. “These are the files inside an extension that web pages can access.”
Websites can use data like browser type and version, time zone, operating system, current plugins, and language to create a unique identification for users.
When creating a Chrome extension, an author can declare some assets as web-accessible resources, according to the developer.
“Typically, extensions use this functionality to expose images or other assets that need to be loaded in web pages,” z0ccc explained, “but any asset contained in an extension’s bundle can be made web-accessible.”
“The web-accessible resource of an installed extension can be successfully fetched by a webpage.” If the fetch fails, it’s most likely because it’s not installed.”
Some extensions generate a hidden access token, according to the creator, which helps them avoid detection.
“Any fetch operation carried out without the secret token will be unsuccessful. Detecting these protected extensions is significantly more difficult, but it is still doable, according to z0ccc.
“Resources from protected extensions will take longer to load than resources from unprotected extensions.”
“You can precisely identify if the protected extensions are installed by analyzing the time discrepancies,” the developer explained.
Users with more extensions have a more unique fingerprint, according to the developer, making them more trackable.
The Extension Fingerprints website is only compatible with Chromium browsers that use the Chrome Web Store to install extensions, although it can be customized to operate with Microsoft’s Edge browser.
Because it generates unique extension IDs for each browser instance, this method will not work with Mozilla Firefox.
Information sourced from Rual de Vries, My Boadband