Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting

Karami, Soroush; Ilia, Panagiotis; Σολωμός, Κωνσταντίνος; Polakis, Jason

doi:10.14722/ndss.2020.24383

Cited by 26 publications

(18 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the other hand, using a randomized value will result in the website calculating different identifiers across visits. As such, websites can leverage extension-fingerprinting techniques [71], [44], [77], [74] to infer the presence of these extensions and ignore the affected attributes when generating the F P ID . For Brave, websites simply need to check the User-agent header.…”

Section: E Optimization Effect: Leveraging Browser Fingerprintsmentioning

confidence: 99%

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

Σολωμός¹,

Kristoff²,

Kanich³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Statement from the NDSS 2021 Program Committee: NDSS is devoted to ethical principles and encourages the research community to ensure its work protects the privacy, security, and safety of users and others involved. While the NDSS 2021 PC appreciated the technical contributions of this paper, it was the subject of a debate in our community regarding the responsible disclosure of vulnerabilities for the Firefox web browser. The PC examined and discussed the ethics concerns raised and the authors' response. Although no harm came to users, the authors' oversight could have made a non-vulnerable browser vulnerable to the attack proposed in the paper. The PC does not believe the authors acted in bad faith. Nevertheless, we decided to add this note as well as the authors' response (in an Appendix) to the paper because the NDSS PC takes both the ethics of responsible disclosure and fairness towards the authors seriously. It is the PC's view that researchers must not engage in disclosure practices that subject users to an appreciable risk of substantial harm. NDSS will work with other conferences to further improve the transparency of vulnerability disclosure to reduce such errors in the future.

show abstract

Section: E Optimization Effect: Leveraging Browser Fingerprintsmentioning

confidence: 99%

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

Σολωμός¹,

Kristoff²,

Kanich³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…Tian et al [51] demonstrated how the HTML5 screen-sharing API could be used for various attacks; the proposed history sniffing attack requires the target URLs to actually be rendered on the user's screen, presenting an obstacle for the practicality of the attack and limiting the number of target URLs that can be tested. Karami et al [25] showed how the Performance API can be used to detect what browser extensions a user has installed.…”

Section: Related Workmentioning

confidence: 99%

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

Karami¹,

Ilia

Polakis

2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

“…Starov et al [34] presented XHOUND to investigate and quantify the finger-printability of Chrome extensions through DOM-based modifications. Soroush et al [20] extended the approach by automatic generating behavioral fingerprints. Alexander et al [32] studied a class of extension revelation attacks, where extensions reveal themselves by injecting their code on web pages, and invalidated the randomized ID of Firefox, and the attacker can use the random ID as a reliable fingerprint of the users.…”

Section: Related Workmentioning

confidence: 99%

Privacy Model: Detect Privacy Leakage for Chinese Browser Extensions

Zhao

Yang

et al. 2021

IEEE Access

View full text Add to dashboard Cite

The wide use of browser extensions brings the privacy leakage problem. The previous works detected private data transmission to find privacy leakage in Chrome or Firefox, but the real challenge is to determine whether the transmission is reasonable because the privacy data that existed in transmission does not absolutely mean leaking. To this end, we establish a privacy model for each extension, which contains the sensitive information permitted to be used and servers authorized to communicate with. In order to evaluate the effectiveness of the proposed method, we develop a dynamic browser extension privacy detection framework. It first builds privacy models for extensions and records all network traffic when accessing test pages. Then, the leakage results are presented according to the strict privacy leakage judgment rules. In this paper, the experiments are conducted in a real environment, and our work is verified by 34,095 extensions which are collected from 3 mainstream browsers in China from November 2019 to August 2020. There is a total of 2,983 extensions that exist privacy leakage. We further conduct a comprehensive analysis of the results including calculating the precision, recall, accuracy, and F1 score for each type of leakage, and show the information leaked by different extension categories and the malicious domain name that collecting the users' privacy, as well as the results changing of detection over time.

show abstract

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting

Cited by 26 publications

References 28 publications

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

Privacy Model: Detect Privacy Leakage for Chinese Browser Extensions

Contact Info

Product

Resources

About