• Corpus ID: 239024688

Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques

@article{Liu2021GummyBT,
  title={Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques},
  author={Zengrui Liu and Prakash Shrestha and Nitesh Saxena},
  journal={ArXiv},
  year={2021},
  volume={abs/2110.10129}
}
We present a simple yet potentially devastating and hard-to-detect threat, called Gummy Browsers4, whereby the browser fingerprinting information can be collected and spoofed without the victim’s awareness, thereby compromising the privacy and security of any application that uses browser fingerprinting. The idea is that the attacker A first makes the user U connect to his website (or to a well-known site the attacker controls) and transparently collects the information fromU that is used for… 
Phish in Sheep’s Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting
As users navigate the web they face a multitude of threats; among them, attacks that result in account compromise can be particularly devastating. In a world fraught with data breaches and

References

SHOWING 1-10 OF 37 REFERENCES
How Unique Is Your Web Browser?
  • P. Eckersley
  • Computer Science
    Privacy Enhancing Technologies
  • 2010
TLDR
The degree to which modern web browsers are subject to "device fingerprinting" via the version and configuration information that they will transmit to websites upon request is investigated, and what countermeasures may be appropriate to prevent it is discussed.
Fingerprinting Information in JavaScript Implementations
TLDR
This paper identifies two new avenues for browser fingerprinting, one of which subverts the whitelist mechanism of the popular NoScript Firefox extension, which selectively enables web pages’ scripting privileges to increase privacy by allowing a site to determine if particular domains exist in a user's NoScript whitelist.
Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting
TLDR
A new method for identifying web browsers based on the underlying Javascript engine, which can be executed on the client side within a fraction of a second, is proposed, three orders of magnitude faster than previous work on Javascript engine fingerprinting, and can be implemented with well below a few hundred lines of code.
FP-STALKER: Tracking Browser Fingerprint Evolutions
TLDR
It is shown that browser fingerprints tend to change frequently—from every few hours to days—due to, for example, software updates or configuration changes, yet, despite these frequent changes, it is show thatbrowser fingerprints can still be linked, thus enabling long-term tracking.
Fingerprinting Web Users Through Font Metrics
TLDR
It is shown that of the over 125,000 code points examined, it suffices to test only 43 in order to account for all the variation seen in the experiment, andFont metrics, being orthogonal to many other fingerprinting techniques, can augment and sharpen those other techniques.
User Tracking on the Web via Cross-Browser Fingerprinting
TLDR
It is shown that a part of the IP address, the availability of a specific font set, the time zone, and the screen resolution are enough to uniquely identify most users of the five most popular web browsers, and that user agent strings are fairly effective but fragile identifiers of a browser instance.
FPGuard: Detection and Prevention of Browser Fingerprinting
TLDR
Evaluation results show that FPGuard can effectively recognize and mitigate fingerprinting-related activities and distinguish normal from abnormal webpages (or fingerprinters).
Detecting and Defending Against Third-Party Tracking on the Web
TLDR
This work develops a client-side method for detecting and classifying five kinds of third-party trackers based on how they manipulate browser state, and finds that no existing browser mechanisms prevent tracking by social media sites via widgets while still allowing those widgets to achieve their utility goals, which leads to a new defense.
Device fingerprinting for augmenting web authentication: classification and analysis of methods
TLDR
This work summarizes and classify 29 available methods and their properties; defines attack models relevant to augmenting passwords for user authentication; and qualitatively compare them based on stability, repeatability, resource use, client passiveness, difficulty of spoofing, and distinguishability offered.
Pixel Perfect : Fingerprinting Canvas in HTML 5
TLDR
A new system fingerprint is proposed, inspired by the observation that browser behavior varies depending on the behavior of resources, which is consistent, high-entropy, orthogonal to other fingerprints, transparent to the user, and readily obtainable.
...
1
2
3
4
...