Home>Blog>The Hacker News Headlines>New Attack Let Attacker Collect and Spoof Browser’s Digital Fingerprints
The Hacker News Headlines

New Attack Let Attacker Collect and Spoof Browser’s Digital Fingerprints

Browser Digital Fingerprints

A “potentially devastating and hard-to-detect threat” could be
abused by attackers to collect users’ browser fingerprinting
information with the goal of spoofing the victims without their
knowledge, thus effectively compromising their privacy.

Academics from Texas A&M University dubbed the attack system
Gummy Browsers[1],” likening it to a
nearly 20-year-old “Gummy Fingers[2]” technique that can
impersonate a user’s fingerprint biometrics.

Automatic GitHub Backups

“The idea is that the attacker ? first makes the user ? connect
to his website (or to a well-known site the attacker controls) and
transparently collects the information from ? that is used for
fingerprinting purposes (just like any fingerprinting website ?
collects this information),” the researchers outlined. “Then, ?
orchestrates a browser on his own machine to replicate and transmit
the same fingerprinting information when connecting to ?, fooling ?
to think that ? is the one requesting the service rather than
?.”

Browser fingerprinting, also called machine fingerprinting,
refers to a tracking technique[3]
that’s used to uniquely identify internet users[4] by gathering attributes
about the software and hardware of a remote computing system — such
as the choice of browser, timezone, default language, screen
resolution, add-ons, installed fonts, and even preferences — as
well as behavioral characteristics that emerge when interacting
with the web browser of the device.

Thus in the event the website populates targeted ads based on
only the users’ browser fingerprints, it could result in a scenario
where the remote adversary can profile any target of interest by
manipulating their own fingerprints to match that of the victim for
extended periods of time, all the while the user and the website
remain oblivious to the attack.

Put differently, by exploiting the fact that the server treats
the attacker’s browser as the victim’s browser, not only would the
former receive same or similar ads like that of the impersonated
victim, it also allows the malicious actor to infer sensitive
information about the user (e.g., gender, age group, health
condition, interests, salary level, etc.) and build a personal
behavioral profile.

In experimental tests, the researchers found that the attack
system achieved average false-positive rates of greater than 0.95,
indicating that most of the spoofed fingerprints were misrecognized
as legitimate ones, thereby successfully tricking the digital
fingerprinting algorithms. A consequence of such an attack is a
breach of ad privacy and a bypass of defensive mechanisms put in
place to authenticate users and detect fraud.

“The impact of Gummy Browsers can be devastating and lasting on
the online security and privacy of the users, especially given that
browser-fingerprinting is starting to get widely adopted in the
real world,” the researchers concluded. “In light of this attack,
our work raises the question of whether browser fingerprinting is
safe to deploy on a large scale.”

References

  1. ^
    Gummy
    Browsers     (arxiv.org)
  2. ^
    Gummy
    Fingers     (www.theregister.com)
  3. ^
    tracking
    technique     (en.wikipedia.org)
  4. ^
    uniquely identify internet users
    (coveryourtracks.eff.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.