January 16, 2017 By Douglas Bonderud 3 min read

Browser data is valuable data. Marketing companies and advertising agencies want to know everything they can about user surfing and buying habits, and cybercriminals leverage this information to create targeted attacks. To accomplish this aim, advertisers and fraudsters widely use single-browser fingerprinting (SBF) to keep tabs on users without their knowledge.

As noted by Bleeping Computer, however, a team of U.S. researchers developed a set of cross-browser fingerprinting (CBF) techniques to identify underlying hardware components and snoop on users, no matter which browsing platform they choose.

Cross-Browser Fingerprinting Tracks User Habits

Single-browser tracking has enjoyed marked success, but attempts to follow users from browser to browser largely fell flat since each offering processed and handled information differently. According to ZDNet, the new work by Yinzhi Cao and Song Li of Lehigh University in Pennsylvania and Erik Wijmans of Washington University in St. Louis resulted in a cross-browser method able to identify 99.24 percent of desktop users.

The trick lies in making browsers perform operations using computer hardware rather than staying in-program and then tying these hardware components to specific systems. Already, the team has tracked users via:

  • Screen resolution: Often used for SBF, this measure was considered unreliable for CBF. With in-browser zoom levels factored in, this is a reliable tracking method.
  • Audio context: By measuring how audio signals are processed and handled by the onboard sound card, it’s possible to identify the same user across different browsers.
  • Vertex shader: Since vertex shaders are used by the graphics processing unit (GPU) and graphics driver rather than the browser, they can be traced to specific users.
  • Number of central processing unit (CPU) virtual cores: Using the browser parameter “hardwareConcurrency,” researchers were able to determine unique maximum thresholds.

All major browsers are vulnerable to these techniques, except for the Tor browser. Since its primary function is internet anonymity, the browser intentionally normalizes outputs to obfuscate user details.

Ad Absurdum

So what does the advent of more powerful CBF techniques mean for users? In all likelihood, it means more tailored advertisements appearing more often, since companies have access to a bigger pool of increasingly specific data. Of course, big browser-makers such as Microsoft and Google could push back to reduce the chance of fingerprinting, but the chances are hit-and-miss since ad revenue is a huge part of their business models.

Consider the recent removal of Chrome extension AdNauseum, which not only hid ads from users but actively clicked every ad in the background to create fake data profiles and confound marketing agencies. At the start of 2017, the extension was suddenly dropped and its creator given a stock explanation. In all likelihood, it stems from a need for tech giants to walk the line between protecting user privacy and leveraging their data for profit.

Tor: An Illusion of Privacy

It’s also worth noting that the Tor browser isn’t entirely safe from tracking. According to Naked Security, a technique called ultrasound cross-device tracking (uXDT) emerged in 2012. Put simply, it uses ultrasonic sounds played during TV or computer advertisements, which are then picked up by smartphones using uXDT-enabled apps. Users don’t hear the sound, and details about their viewing and surfing habits are sent to companies or cybercriminals without their knowledge or consent.

Applied to the Tor network, researchers discovered that it’s possible to set up a beacon site that plays the ultrasonic sound. If Tor users visit the site, their own phones could pick up the signal and unmask their activity.

The bottom line is that browser data is big business. New CBF techniques make it easier for companies to follow web surfers wherever they go — and harder for users to hide in plain sight.

More from

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today