A team of researchers from universities across the US has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine.
Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting.
These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data.
Researchers measured the response to these operations and used this information to identify the different hardware rigs, specific to distinct users, regardless of the browser accessing a test website.
For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software.
According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations.
Screen Resolution - Also used for single-browser fingerprinting (SBF) but thought to be unusable for CBF. Researchers discovered that by taking browser zoom levels into account, this measurement could be used reliably.
Number of CPU Virtual Cores - The browser parameter named hardwareConcurrency that provides the browser's maximum threshold in Web Worker operations. This is the same for most browsers, and for those that alter this value, it can be easily calculated (e.g, multiplied by two for Safari).
AudioContext - AudioContext provides a bundle of audio signal processing functionalities from signal generation to signal filtering with the help of the audio stack in the OS and the audio card. Measuring the output of AudioContext operations can identify the same user across different browsers, based on how the audio signal is processed.
List of Fonts - SBF technique that researchers adapted to work in CBF tracking. Researchers query a list of locally installed fonts or determine if certain fonts are installed based on how predetermined font characters (glyphs) are rendered inside the browser.
Line, Curve, and Anti-aliasing - Researchers can measure how browsers render lines, curves and anti-aliasing operations in HTML5 Canvas and WebGL. These operations are handled by the GPU.
Vertex Shader - Rendered by the GPU and the graphics driver, vertex shaders are used for drawing shadows and light on 3D objects and are used by WebGL.
Fragment Shader - Can be tracked in the same way as vertex shaders.
Transparency via Alpha Channel - Browsers use the GPU and the graphics driver to render transparency. The output of these operations is similar across all local browsers because of the "compositing algebra" used by each individual GPU and graphics driver.
Installed Writing Scripts (Languages) - Writing scripts (systems), or commonly known as written languages, such as Chinese, Korean, and Arabic, require the installation of special libraries to display due to the size of the libraries and locality of the languages. Browsers do not provide APIs to access the list of installed languages, however such information can be obtained via a side channel. Specifically, a browser with a particular language installed will display the language correctly and otherwise show several boxes. That is, the existence of boxes can be used to fingerprint the presence of that language.
Modeling and Multiple Models - Another technique that uses GPU output, this one tests how browser render different predetermined 3D models.
Lighting and Shadow Mapping - Also a technique related to 3D graphics, this one measures how the browser handles lights and shadows.
Camera - Not the computer's camera, but another technique specific to 3D modeling. This technique is used to make 2D representations of 3D objects.
Clipping Planes - Researchers measured how 3D objects moved in limited plans. This WebGL operation, like the ones above, was handled by the PC's GPU, and not by the browser itself.
Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut.
Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
"Our fingerprintable features are highly reliable," researchers said, "the removal of one single feature has little impact on the fingerprinting results."
The research team recommends users to use the Tor Browser if they want to avoid cross-browser fingerprinting.
"Tor Browser normalizes many browser outputs to mitigate existing browser fingerprinting," researchers said, albeit the browser is not perfect, still allowing some fingerprinting via screen width and AudioContext parameters. "We believe that it is easy for Tor Browser to normalize these remaining outputs," researchers added.
For other browsers, researchers recommend that they implement virtualization layers in order to process the hardware-level operations on a generic virtual platform (machine), the same for a large number of users.
The research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features will be presented at the Network & Distributed System Security Symposium in February 2017.