ABSTRACT
With the progression of modern browsers, online tracking has become the most concerning issue for preserving privacy on the web. As major browser vendors plan to or already ban third-party cookies, trackers have to shift towards browser fingerprinting by incorporating novel browser APIs into their tracking arsenal. Understanding how new browser APIs are abused in browser fingerprinting techniques is a significant step toward ensuring protection from online tracking.
In this paper, we propose a novel hybrid system, named BFAD, that automatically identifies previously unknown browser fingerprinting APIs in the wild. The system combines dynamic and static analysis to accurately reveal browser API usage and automatically infer browser fingerprinting behavior. Based on the observation that a browser fingerprint is constructed by pulling information from multiple APIs, we leverage dynamic analysis and a locality-based algorithm to discover all involved APIs and static analysis on the dataflow of fingerprinting information to accurately associate them together. Our system discovers 231 fingerprinting APIs in Alexa top 10K domains, starting with only 35 commonly known fingerprinting APIs and 17 data transmission APIs. Out of 231 APIs, 161 of them are not identified by state-of-the-art detection systems. Since our approach is fully automated, we repeat our experiments 11 months later and discover 18 new fingerprinting APIs that were not discovered in our previous experiment. We present with case studies the fingerprinting ability of a total of 249 detected APIs.
Supplemental Material
- 2021. AmIUnique. https://amiunique.org. (2021).Google Scholar
- 2021. Battery Status API. https://www.w3.org/TR/battery-status/. (2021).Google Scholar
- 2021. BrowserLeaks - Web Browser Fingerprinting - Browsing Privacy. https://browserleaks.com. (2021).Google Scholar
- 2021. Device Info. https://www.deviceinfo.me/. (2021).Google Scholar
- 2021. Fingerprinting JSEcho. http://privacycheck.sec.lrz.de/active/fp_je/fp_js_echo.html. (2021).Google Scholar
- 2021. GlobalEventHandlers. https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers. (2021).Google Scholar
- 2021. HTML Canvas 2D Context. https://www.w3.org/TR/2dcontext/. (2021).Google Scholar
- 2021. Introducing the Privacy Budget. https://www.youtube.com/watch¿v=0STgfjSA6T8&ab_channel=GoogleChromeDevelopers. (2021).Google Scholar
- 2021. JavaScript APIs. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API. (2021).Google Scholar
- 2021. node.js. https://nodejs.org/en/. (2021).Google Scholar
- 2021. Panopticlick. https://panopticlick.eff.org. (2021).Google Scholar
- 2021. Pixelscan. https://pixelscan.net/. (2021).Google Scholar
- 2021. Puppeteer. https://pptr.dev/. (2021).Google Scholar
- 2021. top-1m. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip. (2021).Google Scholar
- 2021. UNIQUEMACHINE. http://uniquemachine.org/. (2021).Google Scholar
- 2021. Web Audio API. https://www.w3.org/TR/webaudio/. (2021).Google Scholar
- 2021. WebGL: 2D and 3D graphics for the web. https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API. (2021).Google Scholar
- 2021. WebIDL. https://www.w3.org/TR/WebIDL-1/. (2021).Google Scholar
- 2022. BarProp.visible. https://developer.mozilla.org/en-US/docs/Web/API/BarProp/visible. (2022).Google Scholar
- 2022. Building a more private web: A path towards making third party cookies obsolete. https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html. (2022).Google Scholar
- 2022. cross_browser. https://github.com/Song-Li/cross_browser. (2022).Google Scholar
- 2022. Disable third-party cookies in Firefox to stop some types of tracking by advertisers. https://support.mozilla.org/en-US/kb/disable-third-party-cookies¿redirect=no. (2022).Google Scholar
- 2022. fingerprintjs. https://github.com/fingerprintjs/fingerprintjs/tree/v2. (2022).Google Scholar
- 2022. FP-Inspector. https://github.com/uiowa-irl/FP-Inspector/blob/master/Data/fingerprinting_domains.json. (2022).Google Scholar
- 2022. Full Third-Party Cookie Blocking and More. https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/. (2022).Google Scholar
- 2022. Internet Advertising Revenue Report: Full Year 2021. https://www.iab.com/insights/internet-advertising-revenue-report-full-year-2021/. (2022).Google Scholar
- 2022. Online advertising revenue in the United States from 2000 to 2021. https://www.statista.com/statistics/183816/us-online-advertising-revenue-since-2000/. (2022).Google Scholar
- Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
- Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
- Nasser Mohammed Al-Fannah, Wanpeng Li, and Chris J Mitchell. 2018. Beyond cookie monster amnesia: Real world persistent online tracking. In International Conference on Information Security.Google Scholar
- Pouneh Nikkhah Bahrami, Umar Iqbal, and Zubair Shafiq. 2022. FP-Radar: Longitudinal measurement and early detection of browser fingerprinting. Proceedings on Privacy Enhancing Technologies (2022).Google Scholar
- Stefano Calzavara, Tobias Urban, Dennis Tatang, Marius Steffens, and Ben Stock. 2021. Reining in the Web’s Inconsistencies with Site Policy. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).Google Scholar
- Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. 2011. Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the International World Wide Web Conference (WWW).Google Scholar
- Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).Google Scholar
- Charlie Curtsinger, Benjamin Livshits, Benjamin G. Zorn, and Christian Seifert. 2011. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In Proceedings of the USENIX Security Symposium.Google Scholar
- Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The Web’s Sixth Sense: A Study of Scripts Accessing Smartphone Sensors. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
- Disconnect. 2021. disconnect-tracking-protection. https://github.com/disconnectme/disconnect-tracking-protection. (2021).Google Scholar
- Peter Eckersley. 2010. How unique is your web browser¿. In International Symposium on Privacy Enhancing Technologies Symposium.Google Scholar
- Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-Million-Site Measurement and Analysis. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
- Amin FaizKhademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. FPGuard: Detection and Prevention of Browser Fingerprinting. In Data and Applications Security and Privacy XXIX.Google Scholar
- Aurore Fass, Michael Backes, and Ben Stock. 2019. JStap: A Static Pre-Filter for Malicious JavaScript Detection. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).Google Scholar
- Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock. 2021. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
- David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In International Conference on Financial Cryptography and Data Security.Google Scholar
- Henrik Gemal. 2021. BrowserSpy.dk. http://browserspy.dk/. (2021).Google Scholar
- Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the Crowd: An Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In Proceedings of the 2018 World Wide Web Conference.Google Scholar
- [46] Google Chrome. 2021. https://chromedevtools.github.io/devtools-protocol/. (2021).Google Scholar
- [47] Google Chrome. 2021. https://chromedevtools.github.io/devtools-protocol/tot/Debugger/. (2021).Google Scholar
- Ariya Hidayat. 2021. ECMAScript parsing infrastructure for multipurpose analysis. https://esprima.org/. (2021).Google Scholar
- U. Iqbal, S. Englehardt, and Z. Shafiq. 2021. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Jordan Jueckstock and Alexandros Kapravelos. 2019. VisibleV8: In-browser Monitoring of JavaScript in the Wild. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC).Google Scholar
- Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In ESSoS 2017 - 9th International Symposium on Engineering Secure Software and Systems.Google Scholar
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium.Google Scholar
- Tianyi Li, Xiaofeng Zheng, Kaiwen Shen, and Xinhui Han. 2021. Poster: FPFlow: Detect and Prevent Browser Fingerprinting with Dynamic Taint Analysis. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Fang Liu, Chun Wang, Andres Pico, Danfeng Yao, and Gang Wang. 2017. Measuring the Insecurity of Mobile Deep Links of Android. In Proceedings of the USENIX Security Symposium.Google Scholar
- Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012.Google Scholar
- Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Chris Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2016. The Leaking Battery. In Data Privacy Management, and Security Assurance.Google Scholar
- Konrad Rieck, Tammo Krueger, and Andreas Dewald. 2010. Cujo: efficient detection and prevention of drive-by-download attacks. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).Google Scholar
- Valentino Rizzo, Stefano Traverso, and Marco Mellia. 2020. Unveiling Web Fingerprinting in the Wild Via Code Mining and Machine Learning. Proceedings on Privacy Enhancing Technologies (2020).Google Scholar
- Shaown Sarker, Jordan Jueckstock, and Alexandros Kapravelos. 2020. Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC).Google Scholar
- Alexander Sjösten, Daniel Hedin, and Andrei Sabelfeld. 2021. Essentialfp: Exposing the essence of browser fingerprinting. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).Google Scholar
- Peter Snyder, Lara Ansari, Cynthia Taylor, and Chris Kanich. 2016. Browser Feature Usage on the Modern Web. In Proceedings of the 2016 Internet Measurement Conference.Google Scholar
- Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Oleksii Starov and Nick Nikiforakis. 2018. PrivacyMeter: Designing and Developing a Privacy-Preserving Browser Extension. In Engineering Secure Software and Systems.Google Scholar
- Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies. In Proceedings of the USENIX Security Symposium.Google Scholar
Index Terms
- Automatic Discovery of Emerging Browser Fingerprinting Techniques
Recommendations
Online Tracking: A 1-million-site Measurement and Analysis
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityWe present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-...
Web-based Fingerprinting Techniques
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and TelecommunicationsThe concept of device fingerprinting is based in the assumption that each electronic device holds a unique set
of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based
fingerprinting, a particular ...
PanoptiChrome: A Modern In-browser Taint Analysis Framework
WWW '24: Proceedings of the ACM on Web Conference 2024Taint tracking in web browsers is a problem of profound interest because it allows developers to accurately understand the flow of sensitive data across JavaScript (JS) functions. Modern websites load JS functions from either the web server or other ...
Comments