Cross-Browser Fingerprinting: Tracking and Verification Method of the Future or Abandoned Experiment?
At the NDSS Symposium of 2017, three researchers from Pennsylvania’s Lehigh University presented a paper on “(Cross-)Browser Fingerprinting via OS and Hardware Level Features”, which was bound to draw the attention of news outlets specializing in cybersecurity and fraud.
Proclaimed as a 2.5-generation technique occupying the space between fingerprinting and cross-device tracking, cross-browser fingerprinting promised to improve online verification and tracking significantly, overcoming the hurdle of users choosing to have more than one web browser on the same device to evade detection of malicious activities, as well as for privacy concerns.
So, what has happened since, and has this innovation been adopted?
From Browser to Cross-Browser Fingerprinting
Utilizing stateless identifiers and thus moving beyond the stateful, server-set identifiers of cookies for tracking purposes, browser fingerprinting scrutinizes the browser configuration of a website visitor in order to identify them. Applications vary, from assessing their intentions as part of anti-fraud and anti-money laundering efforts to malicious tracking and beyond. Browser fingerprinting taps into several data points related to the user’s browser, including their browser language; browser type and version; whether they have cookies enabled; their user agent; accelerator, proximity sensor, and gyroscope, for mobile browsers; local databases; etc.
This wealth of data points inform a user’s browser ID, from which various assertions can be made. In the white-hat case of fraud fighting, for example, identifying that someone is using Tor will mean more attention will be paid to them, since not all Tor users are malicious, yet almost all fraudsters will use Tor or another onion routing method. But it is not just individual findings that inform fraud analysts’ estimates. In reality, the strongest point of this technique is the potential to combine all of this data into one risk score, from which to draw conclusions about the nature and intentions of a user’s visit to a website or log-in to a service, flagging them and triggering appropriate protocols.
Surely, then, a cross-browser fingerprinting technique would be able to draw information from more than a user’s browser to create this profile, be it for tracking, risk scoring, or another purpose?
The Origins of Cross-Browser Fingerprinting
Let us now look into what cross-browser fingerprinting has promised to do – and whether it has been delivered.
Led by Yinzhi Cao, the cross-browser team also included Song Li and Erik Wijmans, who presented their findings at the San Diego Symposium. Write-ups lauding this new technique followed, as well as preceding the presentation, including on Ars Technica, from February 2017 – a few months before NDSS. Ars Technica writes, “Researchers have recently developed the first reliable technique for websites to track visitors even when they use two or more different browsers”.
Yet, it is important to acknowledge that before the three Lehigh University researchers who made techie news, it was in fact Hungarian researchers Boda, Földes, Gulyás, and Imre who first tapped into this potential back in 2011, in “User Tracking on the Web via Cross-Browser Fingerprinting”, a paper presented at and subsequently published in NordSec 2011: Information Security Technology for Applications. The paper “propose a new, browser-independent fingerprinting method”. To achieve this, the researchers utilized factors such as lists of installed fonts; part of the IP address; screen resolution; user agent; time zone, and more.
Technical Timeline – From 2011 to 2021
The Hungarian developers demonstrated their technique as being effective in identifying and verifying a user, even if this user switched browsers, uninstalled or installed new plugins or switched to a different ISP. Writing over a decade ago, they suggested that future research could look into hybrid techniques, as well as be implemented on and tailored to the – then still in its early days for the general public – mobile landscape.
It was starting from there that Cao et al. conducted their own research, identifying that “the only cross-browser fingerprinting work, Boda et al. adopts IP address as a main feature” and explaining that their solution achieves higher uniqueness rates of identifying up to 99.24% of users, with 91.44% cross-browser stability (vs Boda et al.’s 2011 effort achieved 84.64%). To achieve this, the US-based team prompts the browser to render more than 20 WebGL tasks with specific parameters and extract features from this rendering.
The JavaScript code they wrote to this end was made available as a GitHub repository licensed under GPL-3.0 but, despite some persistent interest, does not seem to be in an active development today, though Yinzhi Cao continues his research work into browser vulnerabilities and fingerprinting, among others, at Johns Hopkins University.
Some of the data points collected by the 2017 WebGL cross-browser fingerprinting method include graphic card; the presence of a do not track header; the user agent; AudioContext; CPU virtual cores; etc. They all come together to form a user ID that will vary greatly from user to user, thus boasting high uniqueness and cross-browser efficiency.
Past, Future, or Present?
At this stage, one might wonder: Five years have passed since. How come cross-browser fingerprinting has not been widely adopted?
The truth is that, despite the term itself not becoming more well-known, these techniques have already been adopted, greatly improved upon, and utilized by pioneering cybersecurity and anti-fraud companies. For transparency, I should mention that one of the Hungarian researchers, Gábor György Gulyás, worked alongside our team at SEON to develop a browser fingerprinting module based on hundreds of parameters, which is utilized in our 360-degree anti-fraud solution.
And this is a good example of precisely what happened to the two teams’ cross-browser fingerprinting research: It merged with other existing and upcoming fingerprinting modules to create hybrid, highly effective protocols that are usually offered as part of comprehensive security, tracking, and anti-fraud platforms. For instance, SEON’s fraud detection platform gathers data that includes almost all of the aforementioned factors, as well as several others, developed based on both internal and external research. It would be impossible to list them all, but as an example, I will mention keyboard layout; extensions in use; navigator properties; browser local databases; touch support; canvas size; and many more.
In effect, it is a hybrid approach that combines a browser hash, cookie hash, device hash, and more factors, which include basics such as IP address, to assess a user and their intentions, as well as whether the said user has been seen before, be it from this or another browser. In effect, the approach is cross-browser because only a portion of the dozens and dozens of data points are linked to one browser, and the rest are more than sufficient to gauge uniqueness and deliver cross-browser accuracy.
So, cross-browser fingerprinting might have never become the buzzword some anticipated it to be, but the research of the above pioneers and many like them have certainly been appreciated by those it concerned he most: industry insiders, who adopted it to create highly efficient products and improved existing solutions, effectively delivering cross-browser fingerprinting – even if it does not use this term.
ABOUT THE AUTHOR:
Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager / Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.