"In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly fingerprint the user: a practice that may have serious privacy and security implications," they noted.
Device (or in this case browser) fingerprinting refers to the practice of collecting attributes about the device / browser - such as the device's screen size, the versions of installed software, and the list of installed fonts, etc. - used by the user and using it to fully or partially identify users / devices.
But while this practice can be great for preventing online identity theft, credit card fraud, or mitigating DDoS attacks, it can also be used to surreptitiously create user profiles.
The researchers have created their own framework for the detection and analysis of web-based fingerprinters - FPDetective.
"By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated," they noted.
"Device fingerprinting raises serious privacy concerns for everyday users," the researchers pointed out. "Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to opt-out. Moreover, fingerprinting works just as well in the 'private-mode' of modern browsers, which cookie-conscious users may be utilizing to perform privacy-sensitive operations."
They also proved that two countermeasures that are use to defend against fingerprinting - the Tor Browser and Firegloves, a POC browser extension that returns randomized values when queried for certain attributes - have exploitable weaknesses that could make them useless.
For more details about their research, check out the whitepaper.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.