Hacking Book | Free Online Hacking Learning


automatically quantify the "fingerprint" of browser extension - arkteam

Posted by harmelink at 2020-04-07

Original author: oleksii starov and Nick nikiforakis

Original title: nhound: quantifying the fingerprint of browser extensions

The 38th IEEE Symposium on security and privacy (IEEE S & P), 2017

Browser fingerprint is an effective tracking method. The plug-in of browser is often an important element in the fingerprint of browser. However, with the popularity of HTML5 technology and the security problems of plug-in itself, the usage rate of plug-in keeps decreasing, which will inevitably affect the tracking efficiency of browser fingerprint using plug-in list as fingerprint element. It can be predicted that new browser fingerprint elements will be added continuously, so it is of great significance to study new browser fingerprint and its countermeasures.

Ole ksii of Stony Brook University and others designed and implemented the first system that can automatically detect whether extensions can be used for browser fingerprint elements: xhound. The system can automatically detect whether a browser extension has made a detectable change to the page dom. If it can detect the change caused by the extension to the page DOM, it means that the method of detecting the change of the page DOM can be used to detect whether the extension exists in the browser, so that the extension can be regarded as an element of the browser fingerprint, that is, the extension has "fingerprint". The overall framework of xhound is divided into three stages: test preparation, execution and analysis.

1) In the test preparation stage, modify the extended source code, hook query function. And filter out the URL required by the extension from the extension's manifest file. 2) In the execution phase, domain name resolution component is introduced to access specific domain names and resolve the specific URL of extended access to the honey page set up locally. 3) In the analysis stage, comparing the changes of DOM tree before and after, removing the active elements added by honey page (with records), detecting the changes of DOM caused by the expansion, and reaching a conclusion.

The author uses xhound to detect the top 10000 extensions in the chrome store in a wide range. 9.2% of the extensions introduce detectable DOM changes under any domain name, and 16.6% of the extensions introduce detectable DOM changes under a specific URL. For the top 1000 extensions, the results were 13.2% and 23%, respectively. This shows that the more popular the extension, the higher the detectable rate.

Although xhound can automatically detect whether the extension can be used as fingerprint, it has certain limitations. First, xhound currently only supports detection of chrome and Firefox extensions, and hook functions may not be complete. Secondly, xhound just hooks the function of querying DOM elements and records the changes of DOM, but does not use the changes caused by the extension to the BOM (browser object module). Finally, the extended xhound that requires user configuration for the initial installation cannot be detected. These limitations will lead to a certain false alarm rate.