January 16, 2017 By Douglas Bonderud 3 min read

Browser data is valuable data. Marketing companies and advertising agencies want to know everything they can about user surfing and buying habits, and cybercriminals leverage this information to create targeted attacks. To accomplish this aim, advertisers and fraudsters widely use single-browser fingerprinting (SBF) to keep tabs on users without their knowledge.

As noted by Bleeping Computer, however, a team of U.S. researchers developed a set of cross-browser fingerprinting (CBF) techniques to identify underlying hardware components and snoop on users, no matter which browsing platform they choose.

Cross-Browser Fingerprinting Tracks User Habits

Single-browser tracking has enjoyed marked success, but attempts to follow users from browser to browser largely fell flat since each offering processed and handled information differently. According to ZDNet, the new work by Yinzhi Cao and Song Li of Lehigh University in Pennsylvania and Erik Wijmans of Washington University in St. Louis resulted in a cross-browser method able to identify 99.24 percent of desktop users.

The trick lies in making browsers perform operations using computer hardware rather than staying in-program and then tying these hardware components to specific systems. Already, the team has tracked users via:

  • Screen resolution: Often used for SBF, this measure was considered unreliable for CBF. With in-browser zoom levels factored in, this is a reliable tracking method.
  • Audio context: By measuring how audio signals are processed and handled by the onboard sound card, it’s possible to identify the same user across different browsers.
  • Vertex shader: Since vertex shaders are used by the graphics processing unit (GPU) and graphics driver rather than the browser, they can be traced to specific users.
  • Number of central processing unit (CPU) virtual cores: Using the browser parameter “hardwareConcurrency,” researchers were able to determine unique maximum thresholds.

All major browsers are vulnerable to these techniques, except for the Tor browser. Since its primary function is internet anonymity, the browser intentionally normalizes outputs to obfuscate user details.

Ad Absurdum

So what does the advent of more powerful CBF techniques mean for users? In all likelihood, it means more tailored advertisements appearing more often, since companies have access to a bigger pool of increasingly specific data. Of course, big browser-makers such as Microsoft and Google could push back to reduce the chance of fingerprinting, but the chances are hit-and-miss since ad revenue is a huge part of their business models.

Consider the recent removal of Chrome extension AdNauseum, which not only hid ads from users but actively clicked every ad in the background to create fake data profiles and confound marketing agencies. At the start of 2017, the extension was suddenly dropped and its creator given a stock explanation. In all likelihood, it stems from a need for tech giants to walk the line between protecting user privacy and leveraging their data for profit.

Tor: An Illusion of Privacy

It’s also worth noting that the Tor browser isn’t entirely safe from tracking. According to Naked Security, a technique called ultrasound cross-device tracking (uXDT) emerged in 2012. Put simply, it uses ultrasonic sounds played during TV or computer advertisements, which are then picked up by smartphones using uXDT-enabled apps. Users don’t hear the sound, and details about their viewing and surfing habits are sent to companies or cybercriminals without their knowledge or consent.

Applied to the Tor network, researchers discovered that it’s possible to set up a beacon site that plays the ultrasonic sound. If Tor users visit the site, their own phones could pick up the signal and unmask their activity.

The bottom line is that browser data is big business. New CBF techniques make it easier for companies to follow web surfers wherever they go — and harder for users to hide in plain sight.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today