Bulletproof privacy in one click
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon
Blog3 minutes read
May 7, 2022
Hijacking a Web Browser Fingerprint
With the (eventual) banning of third-party cookies, advertisers and hackers need to find a new way to track people on the Internet. They don't care if they have the user's consent or not, and they don't care how low they need to sink. Privacy is not a word that they have any relationship to… they'll do whatever they have to do to put the 'right' advertising or link in front of any user that might make them a bit richer.
Browser fingerprinting is a new way that these people plan to track their victims. By using every possible method at their command, they find out every publicly available setting for your web browser and your system. With luck, they'll get a combination that is unique enough to pinpoint that browser fingerprint to just one person: You.
But not all of them intend to passively sit back and hope that you click on their links. No, there's a different way they can make money off of your web browser fingerprint. This article covers hijacking someone's identity in a brand new way so that specific advertising can be forced upon them against their will.
What is Browser Fingerprinting?
For those of you not familiar with the term, browser fingerprinting is how advertisers, government organizations, and slimy website owners build a hardware and software profile of a user, without using third-party cookies.
If you look at a huge group of Internet users, in the range of millions, you might think that it's difficult to pick a single person out of that vast crowd without some kind of username attached. But when you start listing out every detectable feature of someone's web browser, you accumulate a lot of data points. These points can be cross-referenced in a massive database. Every detail that can be mined comes into play. The web browser tells scripts that are being run by these websites quite a few things: The browser window's dimensions, browser version, OS information, location, audio drivers, and graphics capabilities.
A quality fingerprinting model can pick out individual users 95% of the time unless they're running a privacy app such as Hoody. If anyone wants to test how unique their browser fingerprint is, they should visit AmIUnique.
In a nutshell, third-party cookies are no longer needed to track users who keep script execution turned on when they're browsing. Turning off script execution breaks a huge percentage of the World Wide Web. It's estimated that 95.2% of sites use Javascript. Although not all of them require JS for core website functionality, the vast majority of them do. Browser fingerprinting, therefore, remains a threat for anyone who wants to experience the web in its 'normal' state.
Why Would Someone Hijack a Browser Fingerprint?
Surely, once someone has a browser fingerprint, they'll just use it for their immediate personal gain, right? They can serve them highly targeted ads, target them with customized spear-phishing attacks, or track their activity across any sites that run the same ad network.
But what if instead of using a browser fingerprint, these entities clone it? By hijacking someone's browser fingerprint, an attacker can manipulate the entire advertising environment. They can feed that specific hardware and software profile into a botnet and 'visit' hundreds of sites that pertain to a specific topic… laundry detergent for example.
The ad agencies will all adjust, feeding those laundry detergent ads to the real owner of that unique browser fingerprint. Even though this particular user might have no native interest in those topics or products, they're going to be inundated with advertisements that have been forced upon them. The hijackers make money from the advertisers, who hire them to create an artificial boost in their click rates (no questions asked).
A more nefarious way to manipulate browser fingerprinting is by creating a patsy. Imagine if a criminal or intelligence organization hijacked a victim's fingerprint, and used a botnet to force them to visit hundreds of sites about bomb buildings. Now they can be made into a suspect for an upcoming crime, or they can be used as a distraction or made into a patsy for a government operation.
Another frightening thing that a botnet can do is 'normalize' a certain activity that a browser fingerprint performs so that an unusual activity seems routine. For example, if the botnet uses someone's unique fingerprint to visit shady websites every Saturday, it becomes the expectation. So if their system is ever infiltrated, there's a window of opportunity to exfiltrate the stolen data to one of these suspect sites. Even if the advertisers' records are subpoenaed, they'll show no unusual activity. So not only can someone be set up as a dupe, but they can become a real victim who seems to be a 'crying wolf' when they get caught.
The official write-up for these kinds of hijacking attacks calls the forged, botted sessions 'Gummy Browsers'. While it's uncertain if that lingo is going to catch on in the security community, the level of detail in the study is admirable.
In Conclusion
Hijacking a web browser's fingerprint has multiple underhanded uses that can be manipulated by hackers, ad agencies, and government entities. It is highly suggested that users install reliable privacy software that will obscure their browser fingerprint so that they cannot be tracked or manipulated in this manner.
If you want to learn more about this topic, head on over to Browser Fingerprinting For The Clueless.
Will RWill is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.
