January 16, 2017 By Douglas Bonderud 3 min read

Browser data is valuable data. Marketing companies and advertising agencies want to know everything they can about user surfing and buying habits, and cybercriminals leverage this information to create targeted attacks. To accomplish this aim, advertisers and fraudsters widely use single-browser fingerprinting (SBF) to keep tabs on users without their knowledge.

As noted by Bleeping Computer, however, a team of U.S. researchers developed a set of cross-browser fingerprinting (CBF) techniques to identify underlying hardware components and snoop on users, no matter which browsing platform they choose.

Cross-Browser Fingerprinting Tracks User Habits

Single-browser tracking has enjoyed marked success, but attempts to follow users from browser to browser largely fell flat since each offering processed and handled information differently. According to ZDNet, the new work by Yinzhi Cao and Song Li of Lehigh University in Pennsylvania and Erik Wijmans of Washington University in St. Louis resulted in a cross-browser method able to identify 99.24 percent of desktop users.

The trick lies in making browsers perform operations using computer hardware rather than staying in-program and then tying these hardware components to specific systems. Already, the team has tracked users via:

  • Screen resolution: Often used for SBF, this measure was considered unreliable for CBF. With in-browser zoom levels factored in, this is a reliable tracking method.
  • Audio context: By measuring how audio signals are processed and handled by the onboard sound card, it’s possible to identify the same user across different browsers.
  • Vertex shader: Since vertex shaders are used by the graphics processing unit (GPU) and graphics driver rather than the browser, they can be traced to specific users.
  • Number of central processing unit (CPU) virtual cores: Using the browser parameter “hardwareConcurrency,” researchers were able to determine unique maximum thresholds.

All major browsers are vulnerable to these techniques, except for the Tor browser. Since its primary function is internet anonymity, the browser intentionally normalizes outputs to obfuscate user details.

Ad Absurdum

So what does the advent of more powerful CBF techniques mean for users? In all likelihood, it means more tailored advertisements appearing more often, since companies have access to a bigger pool of increasingly specific data. Of course, big browser-makers such as Microsoft and Google could push back to reduce the chance of fingerprinting, but the chances are hit-and-miss since ad revenue is a huge part of their business models.

Consider the recent removal of Chrome extension AdNauseum, which not only hid ads from users but actively clicked every ad in the background to create fake data profiles and confound marketing agencies. At the start of 2017, the extension was suddenly dropped and its creator given a stock explanation. In all likelihood, it stems from a need for tech giants to walk the line between protecting user privacy and leveraging their data for profit.

Tor: An Illusion of Privacy

It’s also worth noting that the Tor browser isn’t entirely safe from tracking. According to Naked Security, a technique called ultrasound cross-device tracking (uXDT) emerged in 2012. Put simply, it uses ultrasonic sounds played during TV or computer advertisements, which are then picked up by smartphones using uXDT-enabled apps. Users don’t hear the sound, and details about their viewing and surfing habits are sent to companies or cybercriminals without their knowledge or consent.

Applied to the Tor network, researchers discovered that it’s possible to set up a beacon site that plays the ultrasonic sound. If Tor users visit the site, their own phones could pick up the signal and unmask their activity.

The bottom line is that browser data is big business. New CBF techniques make it easier for companies to follow web surfers wherever they go — and harder for users to hide in plain sight.

More from

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today