January 16, 2017 By Douglas Bonderud 3 min read

Browser data is valuable data. Marketing companies and advertising agencies want to know everything they can about user surfing and buying habits, and cybercriminals leverage this information to create targeted attacks. To accomplish this aim, advertisers and fraudsters widely use single-browser fingerprinting (SBF) to keep tabs on users without their knowledge.

As noted by Bleeping Computer, however, a team of U.S. researchers developed a set of cross-browser fingerprinting (CBF) techniques to identify underlying hardware components and snoop on users, no matter which browsing platform they choose.

Cross-Browser Fingerprinting Tracks User Habits

Single-browser tracking has enjoyed marked success, but attempts to follow users from browser to browser largely fell flat since each offering processed and handled information differently. According to ZDNet, the new work by Yinzhi Cao and Song Li of Lehigh University in Pennsylvania and Erik Wijmans of Washington University in St. Louis resulted in a cross-browser method able to identify 99.24 percent of desktop users.

The trick lies in making browsers perform operations using computer hardware rather than staying in-program and then tying these hardware components to specific systems. Already, the team has tracked users via:

  • Screen resolution: Often used for SBF, this measure was considered unreliable for CBF. With in-browser zoom levels factored in, this is a reliable tracking method.
  • Audio context: By measuring how audio signals are processed and handled by the onboard sound card, it’s possible to identify the same user across different browsers.
  • Vertex shader: Since vertex shaders are used by the graphics processing unit (GPU) and graphics driver rather than the browser, they can be traced to specific users.
  • Number of central processing unit (CPU) virtual cores: Using the browser parameter “hardwareConcurrency,” researchers were able to determine unique maximum thresholds.

All major browsers are vulnerable to these techniques, except for the Tor browser. Since its primary function is internet anonymity, the browser intentionally normalizes outputs to obfuscate user details.

Ad Absurdum

So what does the advent of more powerful CBF techniques mean for users? In all likelihood, it means more tailored advertisements appearing more often, since companies have access to a bigger pool of increasingly specific data. Of course, big browser-makers such as Microsoft and Google could push back to reduce the chance of fingerprinting, but the chances are hit-and-miss since ad revenue is a huge part of their business models.

Consider the recent removal of Chrome extension AdNauseum, which not only hid ads from users but actively clicked every ad in the background to create fake data profiles and confound marketing agencies. At the start of 2017, the extension was suddenly dropped and its creator given a stock explanation. In all likelihood, it stems from a need for tech giants to walk the line between protecting user privacy and leveraging their data for profit.

Tor: An Illusion of Privacy

It’s also worth noting that the Tor browser isn’t entirely safe from tracking. According to Naked Security, a technique called ultrasound cross-device tracking (uXDT) emerged in 2012. Put simply, it uses ultrasonic sounds played during TV or computer advertisements, which are then picked up by smartphones using uXDT-enabled apps. Users don’t hear the sound, and details about their viewing and surfing habits are sent to companies or cybercriminals without their knowledge or consent.

Applied to the Tor network, researchers discovered that it’s possible to set up a beacon site that plays the ultrasonic sound. If Tor users visit the site, their own phones could pick up the signal and unmask their activity.

The bottom line is that browser data is big business. New CBF techniques make it easier for companies to follow web surfers wherever they go — and harder for users to hide in plain sight.

More from

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

How I got started: Cyber AI/ML engineer

3 min read - As generative AI goes mainstream, it highlights the increasing demand for AI cybersecurity professionals like Maria Pospelova. Pospelova is currently a senior data scientist, and data science team lead at OpenText Cybersecurity. She also worked at Interest, an AI cybersecurity company acquired by MicroFocus and then by OpenText. She continues as part of that team today.Did you go to college? What did you go to school for?Pospelova: I graduated with a bachelor’s degree in computer science and a master’s degree…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today