Browser extensions are powerful tools that enhance the web browsing experience, offering their users a wide range of functionalities. However, these features can also introduce security and privacy issues for their users, mainly through a technique known as extension fingerprinting — where malicious websites track users based on the extensions they have installed. This is particularly interesting since many websites rely on advertising-based revenue for their existence, and the cookie-less form of tracking is also increasingly getting traction on the Web. Popular libraries such as FingerprintJS and Castle have already incorporated extensions as identifiable sources in their armor.
In this talk, we will present the growing threat of browser extension fingerprinting, shedding light on how extensions can inadvertently expose both users and the extension to certain risks. Our recent research uncovers that over 3,000 Chrome and Firefox extensions are vulnerable to fingerprinting through techniques such as JavaScript namespace pollution and other observable side effects despite existing defense mechanisms [1].
The audience will takeaway the following:
What are some of the ways by which browser extensions can be fingerprinted.
The risks for both user privacy and extensions' behavior.
Insights from recent research on vulnerable extensions.
Potential strategies to mitigate fingerprinting risks.
And, of course, how to keep your extensions from being the "most wanted" on the Web!
[1] Agarwal, Shubham, Aurore Fass, and Ben Stock. "Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions." (To appear at) Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024.
Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/