Fingerprinting in style: Detecting browser extensions via injected style sheets

Pierre Laperdrix; Oleksii Starov; Quan Chen; Alexandros Kapravelos; Nick Nikiforakis

Fingerprinting in style: Detecting browser extensions via injected style sheets

Pierre Laperdrix
, Oleksii Starov
, Quan Chen
, Alexandros Kapravelos
, Nick Nikiforakis

Computer Science

Université de Lille
Palo Alto Networks, Inc.
North Carolina State University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

45 Scopus citations

Abstract

Browser extensions enhance the web experience and have seen great adoption from users in the past decade. At the same time, past research has shown that online trackers can use various techniques to infer the presence of installed extensions and abuse them to track users as well as uncover sensitive information about them. In this work we present a novel extension-fingerprinting vector showing how style modifications from browser extensions can be abused to identify installed extensions. We propose a pipeline that analyzes extensions both statically and dynamically and pinpoints their injected style sheets. Based on these, we craft a set of triggers that uniquely identify browser extensions from the context of the visited page. We analyzed 116K extensions from Chrome's Web Store and report that 6,645 of them inject style sheets on any website that users visit. Our pipeline has created triggers that uniquely identify 4,446 of these extensions, 1,074 (24%) of which could not be fingerprinted with previous techniques. Given the power of this new extension-fingerprinting vector, we propose specific countermeasures against style fingerprinting that have minimal impact on the overall user experience.

Original language	English
Title of host publication	Proceedings of the 30th USENIX Security Symposium
Publisher	USENIX Association
Pages	2507-2524
Number of pages	18
ISBN (Electronic)	9781939133243
State	Published - 2021
Event	30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online Duration: Aug 11 2021 → Aug 13 2021

Publication series

Name	Proceedings of the 30th USENIX Security Symposium

Conference

Conference	30th USENIX Security Symposium, USENIX Security 2021
City	Virtual, Online
Period	08/11/21 → 08/13/21

Cite this

@inproceedings{6ac29200119b492781b7709c66889003,

title = "Fingerprinting in style: Detecting browser extensions via injected style sheets",

abstract = "Browser extensions enhance the web experience and have seen great adoption from users in the past decade. At the same time, past research has shown that online trackers can use various techniques to infer the presence of installed extensions and abuse them to track users as well as uncover sensitive information about them. In this work we present a novel extension-fingerprinting vector showing how style modifications from browser extensions can be abused to identify installed extensions. We propose a pipeline that analyzes extensions both statically and dynamically and pinpoints their injected style sheets. Based on these, we craft a set of triggers that uniquely identify browser extensions from the context of the visited page. We analyzed 116K extensions from Chrome's Web Store and report that 6,645 of them inject style sheets on any website that users visit. Our pipeline has created triggers that uniquely identify 4,446 of these extensions, 1,074 (24\%) of which could not be fingerprinted with previous techniques. Given the power of this new extension-fingerprinting vector, we propose specific countermeasures against style fingerprinting that have minimal impact on the overall user experience.",

author = "Pierre Laperdrix and Oleksii Starov and Quan Chen and Alexandros Kapravelos and Nick Nikiforakis",

note = "Publisher Copyright: {\textcopyright} 2021 by The USENIX Association. All rights reserved.; 30th USENIX Security Symposium, USENIX Security 2021 ; Conference date: 11-08-2021 Through 13-08-2021",

year = "2021",

language = "English",

series = "Proceedings of the 30th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "2507--2524",

booktitle = "Proceedings of the 30th USENIX Security Symposium",

}

Laperdrix, P, Starov, O, Chen, Q, Kapravelos, A & Nikiforakis, N 2021, Fingerprinting in style: Detecting browser extensions via injected style sheets. in Proceedings of the 30th USENIX Security Symposium. Proceedings of the 30th USENIX Security Symposium, USENIX Association, pp. 2507-2524, 30th USENIX Security Symposium, USENIX Security 2021, Virtual, Online, 08/11/21.

Fingerprinting in style: Detecting browser extensions via injected style sheets. / Laperdrix, Pierre; Starov, Oleksii; Chen, Quan et al.
Proceedings of the 30th USENIX Security Symposium. USENIX Association, 2021. p. 2507-2524 (Proceedings of the 30th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Fingerprinting in style

T2 - 30th USENIX Security Symposium, USENIX Security 2021

AU - Laperdrix, Pierre

AU - Starov, Oleksii

AU - Chen, Quan

AU - Kapravelos, Alexandros

AU - Nikiforakis, Nick

PY - 2021

Y1 - 2021

N2 - Browser extensions enhance the web experience and have seen great adoption from users in the past decade. At the same time, past research has shown that online trackers can use various techniques to infer the presence of installed extensions and abuse them to track users as well as uncover sensitive information about them. In this work we present a novel extension-fingerprinting vector showing how style modifications from browser extensions can be abused to identify installed extensions. We propose a pipeline that analyzes extensions both statically and dynamically and pinpoints their injected style sheets. Based on these, we craft a set of triggers that uniquely identify browser extensions from the context of the visited page. We analyzed 116K extensions from Chrome's Web Store and report that 6,645 of them inject style sheets on any website that users visit. Our pipeline has created triggers that uniquely identify 4,446 of these extensions, 1,074 (24%) of which could not be fingerprinted with previous techniques. Given the power of this new extension-fingerprinting vector, we propose specific countermeasures against style fingerprinting that have minimal impact on the overall user experience.

AB - Browser extensions enhance the web experience and have seen great adoption from users in the past decade. At the same time, past research has shown that online trackers can use various techniques to infer the presence of installed extensions and abuse them to track users as well as uncover sensitive information about them. In this work we present a novel extension-fingerprinting vector showing how style modifications from browser extensions can be abused to identify installed extensions. We propose a pipeline that analyzes extensions both statically and dynamically and pinpoints their injected style sheets. Based on these, we craft a set of triggers that uniquely identify browser extensions from the context of the visited page. We analyzed 116K extensions from Chrome's Web Store and report that 6,645 of them inject style sheets on any website that users visit. Our pipeline has created triggers that uniquely identify 4,446 of these extensions, 1,074 (24%) of which could not be fingerprinted with previous techniques. Given the power of this new extension-fingerprinting vector, we propose specific countermeasures against style fingerprinting that have minimal impact on the overall user experience.

UR - https://www.scopus.com/pages/publications/85114506315

M3 - Conference contribution

AN - SCOPUS:85114506315

T3 - Proceedings of the 30th USENIX Security Symposium

SP - 2507

EP - 2524

BT - Proceedings of the 30th USENIX Security Symposium

PB - USENIX Association

Y2 - 11 August 2021 through 13 August 2021

ER -

Fingerprinting in style: Detecting browser extensions via injected style sheets

Abstract

Publication series

Conference

Other files and links

Fingerprint

Cite this