research-article

Public Access

Automatic Discovery of Emerging Browser Fingerprinting Techniques

Authors:
Junhua Su

Department of Computer Science, North Carolina State University, USA

Department of Computer Science, North Carolina State University, USA

0000-0002-3138-9720
View Profile

,
Alexandros Kapravelos

Department of Computer Science, North Carolina State University, USA

Department of Computer Science, North Carolina State University, USA

0000-0002-8839-8521
View Profile

Authors Info & Claims

WWW '23: Proceedings of the ACM Web Conference 2023April 2023Pages 2178–2188https://doi.org/10.1145/3543507.3583333

Published:30 April 2023Publication History

WWW '23: Proceedings of the ACM Web Conference 2023

Pages 2178–2188

ABSTRACT

With the progression of modern browsers, online tracking has become the most concerning issue for preserving privacy on the web. As major browser vendors plan to or already ban third-party cookies, trackers have to shift towards browser fingerprinting by incorporating novel browser APIs into their tracking arsenal. Understanding how new browser APIs are abused in browser fingerprinting techniques is a significant step toward ensuring protection from online tracking.

In this paper, we propose a novel hybrid system, named BFAD, that automatically identifies previously unknown browser fingerprinting APIs in the wild. The system combines dynamic and static analysis to accurately reveal browser API usage and automatically infer browser fingerprinting behavior. Based on the observation that a browser fingerprint is constructed by pulling information from multiple APIs, we leverage dynamic analysis and a locality-based algorithm to discover all involved APIs and static analysis on the dataflow of fingerprinting information to accurately associate them together. Our system discovers 231 fingerprinting APIs in Alexa top 10K domains, starting with only 35 commonly known fingerprinting APIs and 17 data transmission APIs. Out of 231 APIs, 161 of them are not identified by state-of-the-art detection systems. Since our approach is fully automated, we repeat our experiments 11 months later and discover 18 new fingerprinting APIs that were not discovered in our previous experiment. We present with case studies the fingerprinting ability of a total of 249 detected APIs.

Supplemental Material

Automatic Discovery of Emerging Browser Fingerprinting Techniques.mov

mov

47 MB

Download

Automatic Discovery of Emerging Browser Fingerprinting Techniques.mov

Presentation video - short version (under 3 minutes)

mov

47 MB

Download

References

2021. AmIUnique. https://amiunique.org. (2021).Google Scholar
2021. Battery Status API. https://www.w3.org/TR/battery-status/. (2021).Google Scholar
2021. BrowserLeaks - Web Browser Fingerprinting - Browsing Privacy. https://browserleaks.com. (2021).Google Scholar
2021. Device Info. https://www.deviceinfo.me/. (2021).Google Scholar
2021. Fingerprinting JSEcho. http://privacycheck.sec.lrz.de/active/fp_je/fp_js_echo.html. (2021).Google Scholar
2021. GlobalEventHandlers. https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers. (2021).Google Scholar
2021. HTML Canvas 2D Context. https://www.w3.org/TR/2dcontext/. (2021).Google Scholar
2021. Introducing the Privacy Budget. https://www.youtube.com/watch¿v=0STgfjSA6T8&ab_channel=GoogleChromeDevelopers. (2021).Google Scholar
2021. JavaScript APIs. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API. (2021).Google Scholar
2021. node.js. https://nodejs.org/en/. (2021).Google Scholar
2021. Panopticlick. https://panopticlick.eff.org. (2021).Google Scholar
2021. Pixelscan. https://pixelscan.net/. (2021).Google Scholar
2021. Puppeteer. https://pptr.dev/. (2021).Google Scholar
2021. top-1m. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip. (2021).Google Scholar
2021. UNIQUEMACHINE. http://uniquemachine.org/. (2021).Google Scholar
2021. Web Audio API. https://www.w3.org/TR/webaudio/. (2021).Google Scholar
2021. WebGL: 2D and 3D graphics for the web. https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API. (2021).Google Scholar
2021. WebIDL. https://www.w3.org/TR/WebIDL-1/. (2021).Google Scholar
2022. BarProp.visible. https://developer.mozilla.org/en-US/docs/Web/API/BarProp/visible. (2022).Google Scholar
2022. Building a more private web: A path towards making third party cookies obsolete. https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html. (2022).Google Scholar
2022. cross_browser. https://github.com/Song-Li/cross_browser. (2022).Google Scholar
2022. Disable third-party cookies in Firefox to stop some types of tracking by advertisers. https://support.mozilla.org/en-US/kb/disable-third-party-cookies¿redirect=no. (2022).Google Scholar
2022. fingerprintjs. https://github.com/fingerprintjs/fingerprintjs/tree/v2. (2022).Google Scholar
2022. FP-Inspector. https://github.com/uiowa-irl/FP-Inspector/blob/master/Data/fingerprinting_domains.json. (2022).Google Scholar
2022. Full Third-Party Cookie Blocking and More. https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/. (2022).Google Scholar
2022. Internet Advertising Revenue Report: Full Year 2021. https://www.iab.com/insights/internet-advertising-revenue-report-full-year-2021/. (2022).Google Scholar
2022. Online advertising revenue in the United States from 2000 to 2021. https://www.statista.com/statistics/183816/us-online-advertising-revenue-since-2000/. (2022).Google Scholar
Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
Nasser Mohammed Al-Fannah, Wanpeng Li, and Chris J Mitchell. 2018. Beyond cookie monster amnesia: Real world persistent online tracking. In International Conference on Information Security.Google Scholar
Pouneh Nikkhah Bahrami, Umar Iqbal, and Zubair Shafiq. 2022. FP-Radar: Longitudinal measurement and early detection of browser fingerprinting. Proceedings on Privacy Enhancing Technologies (2022).Google Scholar
Stefano Calzavara, Tobias Urban, Dennis Tatang, Marius Steffens, and Ben Stock. 2021. Reining in the Web’s Inconsistencies with Site Policy. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).Google Scholar
Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. 2011. Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the International World Wide Web Conference (WWW).Google Scholar
Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proceedings of the Symposium on Network and Distributed System Security (NDSS).Google Scholar
Charlie Curtsinger, Benjamin Livshits, Benjamin G. Zorn, and Christian Seifert. 2011. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In Proceedings of the USENIX Security Symposium.Google Scholar
Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The Web’s Sixth Sense: A Study of Scripts Accessing Smartphone Sensors. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
Disconnect. 2021. disconnect-tracking-protection. https://github.com/disconnectme/disconnect-tracking-protection. (2021).Google Scholar
Peter Eckersley. 2010. How unique is your web browser¿. In International Symposium on Privacy Enhancing Technologies Symposium.Google Scholar
Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-Million-Site Measurement and Analysis. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
Amin FaizKhademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. FPGuard: Detection and Prevention of Browser Fingerprinting. In Data and Applications Security and Privacy XXIX.Google Scholar
Aurore Fass, Michael Backes, and Ben Stock. 2019. JStap: A Static Pre-Filter for Malicious JavaScript Detection. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).Google Scholar
Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock. 2021. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).Google Scholar
David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In International Conference on Financial Cryptography and Data Security.Google Scholar
Henrik Gemal. 2021. BrowserSpy.dk. http://browserspy.dk/. (2021).Google Scholar
Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the Crowd: An Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In Proceedings of the 2018 World Wide Web Conference.Google Scholar
[46] Google Chrome. 2021. https://chromedevtools.github.io/devtools-protocol/. (2021).Google Scholar
[47] Google Chrome. 2021. https://chromedevtools.github.io/devtools-protocol/tot/Debugger/. (2021).Google Scholar
Ariya Hidayat. 2021. ECMAScript parsing infrastructure for multipurpose analysis. https://esprima.org/. (2021).Google Scholar
U. Iqbal, S. Englehardt, and Z. Shafiq. 2021. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Jordan Jueckstock and Alexandros Kapravelos. 2019. VisibleV8: In-browser Monitoring of JavaScript in the Wild. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC).Google Scholar
Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In ESSoS 2017 - 9th International Symposium on Engineering Secure Software and Systems.Google Scholar
Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium.Google Scholar
Tianyi Li, Xiaofeng Zheng, Kaiwen Shen, and Xinhui Han. 2021. Poster: FPFlow: Detect and Prevent Browser Fingerprinting with Dynamic Taint Analysis. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Fang Liu, Chun Wang, Andres Pico, Danfeng Yao, and Gang Wang. 2017. Measuring the Insecurity of Mobile Deep Links of Android. In Proceedings of the USENIX Security Symposium.Google Scholar
Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012.Google Scholar
Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Chris Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2016. The Leaking Battery. In Data Privacy Management, and Security Assurance.Google Scholar
Konrad Rieck, Tammo Krueger, and Andreas Dewald. 2010. Cujo: efficient detection and prevention of drive-by-download attacks. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).Google Scholar
Valentino Rizzo, Stefano Traverso, and Marco Mellia. 2020. Unveiling Web Fingerprinting in the Wild Via Code Mining and Machine Learning. Proceedings on Privacy Enhancing Technologies (2020).Google Scholar
Shaown Sarker, Jordan Jueckstock, and Alexandros Kapravelos. 2020. Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC).Google Scholar
Alexander Sjösten, Daniel Hedin, and Andrei Sabelfeld. 2021. Essentialfp: Exposing the essence of browser fingerprinting. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).Google Scholar
Peter Snyder, Lara Ansari, Cynthia Taylor, and Chris Kanich. 2016. Browser Feature Usage on the Modern Web. In Proceedings of the 2016 Internet Measurement Conference.Google Scholar
Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Oleksii Starov and Nick Nikiforakis. 2018. PrivacyMeter: Designing and Developing a Privacy-Preserving Browser Extension. In Engineering Secure Software and Systems.Google Scholar
Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies. In Proceedings of the USENIX Security Symposium.Google Scholar

Index Terms

Automatic Discovery of Emerging Browser Fingerprinting Techniques
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections

Recommendations

Online Tracking: A 1-million-site Measurement and Analysis
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

We present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-...
Read More
Web-based Fingerprinting Techniques
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications

The concept of device fingerprinting is based in the assumption that each electronic device holds a unique set

of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based

fingerprinting, a particular ...
Read More
PanoptiChrome: A Modern In-browser Taint Analysis Framework
WWW '24: Proceedings of the ACM on Web Conference 2024

Taint tracking in web browsers is a problem of profound interest because it allows developers to accurately understand the flow of sensitive data across JavaScript (JS) functions. Modern websites load JS functions from either the web server or other ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WWW '23: Proceedings of the ACM Web Conference 2023
April 2023
4293 pages
ISBN:9781450394161
DOI:10.1145/3543507
Editors:
Ying Ding,
Jie Tang,
Juan Sequeda,
Lora Aroyo,
Carlos Castillo,
Geert-Jan Houben
Copyright © 2023 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 April 2023
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Artifacts Available / v1.1
Author Tags
Browser Fingerprinting
Online Tracking
Privacy
Program Analysis
Web Measurement
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate1,899of8,196submissions,23%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 309
  Total Downloads
- Downloads (Last 12 months)307
- Downloads (Last 6 weeks)41
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Automatic Discovery of Emerging Browser Fingerprinting Techniques

WWW '23: Proceedings of the ACM Web Conference 2023

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Online Tracking: A 1-million-site Measurement and Analysis

Web-based Fingerprinting Techniques

PanoptiChrome: A Modern In-browser Taint Analysis Framework