A new attack ‘clones’ and abuses your unique online ID via browser fingerprinting


Researchers have developed a method to copy a victim’s web browser characteristics using browser fingerprinting techniques and then “impersonate” the victim.

The technique has multiple security implications: the attacker can conduct harmful or even illegal online activities, with the “record” of those activities assigned to the user; and two-factor authentication defenses may be compromised because an authentication site believes the user has been successfully recognized, based on the stolen browser’s fingerprint profile

Additionally, the attacker’s “ghost clone” may visit sites that change the type of ads served on that user profile, which means that the user will start receiving advertising content unrelated to their advertising activities. actual navigation. Additionally, the attacker can infer a lot about the victim based on how other (unwitting) websites respond to the spoofed browser ID.

The paper is titled Gummy Browsers: Targeted Browser Spoofing Against Advanced Fingerprinting Techniquesand comes from researchers at Texas A&M University and the University of Florida at Gainesville.

Presentation of the Gummy Browsers methodology. Source: https://arxiv.org/pdf/2110.10129.pdf

Gummy Browsers

The eponymous “gummy browsers” are cloned copies of the victim’s browser, named after the “Gummy Fingers” attack reported in the early 2000s, which replicated the victim’s actual fingerprints with gelatin copies in order to circumvent fingerprint identification systems.

The authors state:

“The main goal of Gummy Browsers is to trick the web server into believing that a legitimate user is accessing its services so that it can learn sensitive information about the user (e.g. user’s interests based on personalized advertisements), or circumvent various security systems (e.g., authentication and fraud detection) that rely on browser fingerprinting.

They continue:

“Unfortunately, we identify a significant threat vector against such linking algorithms. Specifically, we find that an attacker can capture and spoof characteristics of a victim’s browser, and therefore can “present” their own browser as the victim’s browser when connecting to a website.

The authors argue that the browser fingerprinting cloning techniques they developed threaten “a devastating and lasting impact on users’ online privacy and security”.

By testing the system against two fingerprint systems, FPStalker and Panopticlick from the Electronic Frontier Foundation, the authors found that their system was able to successfully simulate captured user information almost all the time, although the system ignores several attributes, including TCP/IP. stack fingerprints, hardware sensors and DNS resolvers.

The authors also argue that the victim will be completely unaware of the attack, making it difficult to circumvent.


Browser fingerprint profiles are generated by several configuration factors of the user’s web browser. Ironically, many defenses designed to protect privacy, including installing ad-blocking extensions, can actually make a browser fingerprint more distinct and easier to target.

Browser fingerprinting does not depend on cookies or session data, but rather provides a largely unavoidable snapshot of the user’s configuration on whatever domain the user is browsing, if that domain is configured to exploit these informations.

Away from overtly malicious practices, fingerprinting is typically used for targeting ads to users, for fraud detection, and for user authentication (one of the reasons why adding extensions or other basic changes to your browser may cause sites to require re-authentication, based on the fact that your browser profile has changed since your last visit).

The method proposed by the researchers only requires the victim to visit a website configured to record their browser’s fingerprint – a practice which, according to a recent study, is prevalent on more than 10% of the top 100,000 websites. and part of Google Federated Learning. of Cohorts (FLOC), the search giant’s alternative to cookie-based tracking. It is also a central technology in adtech platforms in general, thus reaching far more than the 10% of sites identified in the aforementioned study.

Typical facets that can be retrieved from a user's browser without the need for cookies.

Typical facets that can be retrieved from a user’s browser without the need for cookies.

Identifiers that can be extracted from a user visit (collected via JavaScript APIs and HTTP headers) into a cloneable browser profile include language settings, operating system, browser versions and extensions, installed plugins, screen resolution, hardware, color depth, time zone, timestamps, installed fonts, canvas characteristics, user agent string, HTTP request headers, the device’s IP address and language settings, among others. Without access to many of these features, many commonly expected web features would not be possible.

Extracting information via ad network responses

The authors note that advertising data about the victim is quite easy to expose by impersonating their captured browser profile, and can be usefully exploited:

‘[If] browser fingerprinting is used for personalized and targeted advertisements, the web server, hosting a benign website, would push the same or similar advertisements to the attacker’s browser as would have been pushed to the attacker’s browser the victim because the web server sees the attacker’s browser as the victim’s browser. Based on the personalized advertisements (e.g. related to pregnancy products, drugs and brands), the attacker can infer various sensitive information about the victim (e.g. gender, age group, condition health, interests, salary level, etc.), or even build a personal behavioral profile of the victim.

“Leakage of this personal and private information can pose a frightening threat to user privacy.”

Since browser fingerprints change over time, returning the user to the attack site will keep the cloned profile up-to-date, but the authors argue that a one-time clone can still allow periods of attack. surprisingly long effective.

User authentication spoofing

Getting an authentication system to avoid two-factor authentication is a boon for cybercriminals. As the authors of the new paper note, many current authentication (2FA) frameworks use a “recognized” inferred browser profile to associate the account with the user. If the site’s authentication systems are convinced that the user is trying to log in on a device that was used during the last successful login, it may, for the user’s convenience, not require 2FA.

The authors observe that Oracle, InAuth, and SecureAuth IdP all practice some form of this “verification skip,” based on a user’s saved browser profile.

Fraud detection

Various security services use browser fingerprinting as a tool to determine the likelihood of a user engaging in fraudulent activity. The researchers note that Seon and IPQualityScore are two such companies.

Thus, it is possible, thanks to the proposed methodology, either to unfairly characterize the user as a fraudster by using the “ghost profile” to trigger the thresholds of such systems, or to use the stolen profile as a “beard” to genuine attempts at fraud. , diverting forensic analysis from the profile of the aggressor to the victim.

Three attack surfaces

The document offers three ways to use the Gummy Browser system against a victim: Acquire-once-usurp-once involves appropriating the victim’s browser identifier in support of a one-time attack, such as an attempt to access a protected domain under the guise of the user. In this case, the “age” of the identity document does not matter, because the information is processed quickly and without follow-up.

In a second approach, Acquire-once-spoof-frequentlythe attacker seeks to develop a profile of the victim by observing how web servers respond to his profile (i.e. ad servers that serve specific types of content assuming a “familiar” user has already an associated browser profile).

Finally, Acquire-frequently-usurp-frequently is a longer-term scheme designed to regularly update the victim’s browser profile by making them repeat their visit to the harmless exfiltration site (which may have been developed as a news site or blog, for example). This way, the attacker can run a fraud detection spoof over a longer period of time.

Extraction and results

Spoofing methods used by Gummy Browsers include script injection, use of browser tuning and debugging tools, and script modification.

Features can be exfiltrated with or without JavaScript. For example, user-agent headers (which identify the brand of the browser, such as Chromium, firefoxet al.), can be derived from HTTP headers, some of the most basic, unblockable information needed for functional web browsing.

By testing the Gummy Browser system against FPStalker and Panopticlick, researchers achieved an average “property” (of a suitable browser profile) of over 0.95 across three fingerprint algorithms, making a workable clone of the Captured ID.

The article highlights the need for system architects not to rely on browser profile characteristics as a security token and implicitly criticizes some of the broader authentication frameworks that have adopted this practice, especially when used as method of maintaining “user-friendliness” by avoiding or deferring the use of two-factor authentication.

The authors conclude:

“The impact of Gummy browsers can be devastating and lasting on online security and user privacy, especially as browser fingerprinting begins to gain widespread adoption in the real world. In light of this attack, our work raises the question of whether browser fingerprinting can be safely deployed at scale.


Comments are closed.