Tracking techniques on the Internet are becoming more and more sophisticated. Although we use a browser such as Tor or a VPN, a tracking system can know our identity based on the content we visit, how we move the mouse, the language of the visited website, the public IP, the operating system and version of the browser, and a long etcetera of variables. Now, they have created a new system to spy on us.
This type of tracking techniques in order to identify people through their browsing habits and patterns is known as fingerprinting, which are so valuable that they are even sold on the Dark Web. Now, a group of researchers from the United States has developed a new technique called Gummy Browsers, with which they seek to warn of how easy it is to carry out, and of the serious consequences it can have.
- They can impersonate your identity when browsing
This attack consists of capturing a person’s fingerprint by making him visit a website controlled by the attacker, and using that fingerprint on a target platform to impersonate the person’s identity. To spoof the identity on these other websites, the researchers developed three techniques.
The first is Script injection, through which they impersonate the identity of the user by executing scripts with Selenium, executing the values extracted when the user visited the web.
The second is Browser setting and debugging tool, where both can be used to change browser attributes to any custom value.
The third and final one is Script modification, where the browser settings are changed with the spoofed values by modifying the embedded scripts on the web before they are sent to the web server.
- They can use it for all kinds of malicious purposes
By keeping track of users, the researchers say they can carry out phishing after weeks or months, with a success rate of almost 100%. With this, they can, for example, make a bot look like a human, while they can carry out malicious visits to websites and cause the end user to receive advertisements that contain malware or seek to steal personal data through phishing.
You can also bypass Google protection mechanisms (reCAPTCHA among them) Oracle, Inauth, and SecureAuth IdP, which use the user’s previous navigation to determine if the web is being visited by a bot or by a human. Banks also use fingerprinting techniques to try to stop possible attacks against their services.
The impact of Gummy Browsers can be devastating on user privacy if we take into account that there are browsers that will include fingerprinting systems such as FLoC. For this reason, with this work they suggest that it is not certain that this system will be launched on a global scale, and of the risks that these systems entail.