OWASP AppSec Research 2013

The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user
accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

Third-party cookies have played an integral role in user-tracking, due to the ease of use of remote script and image inclusions and their seamless integration on a main page of a website. Today, the more knowledgeable users, in an effort to hide from third-party advertisers, regularly delete delete their cookies and use the private-mode of their browsers.

This general unavailability of cookies motivated advertisers and trackers to find new ways of linking users to their browsing histories. Mayer in 2009 and Eckersley in 2010 both showed that the features of a browser and its plugins can be fingerprinted and used to track users without the need of cookies. Today, there is a small number of commercial companies that use such methods to provide device identification through web-based fingerprinting. Following the classification of Mowery et al., fingerprinting can be used either constructively or destructively. Constructively, a correctly identified device can be used to combat fraud, e.g., by detecting that a user who is trying to login to a site
is likely an attacker who stole a user's credentials or cookies, rather than the legitimate user. Destructively, device identification through fingerprinting can be used to track users between sites, without their knowledge and without a
simple way of opting-out.

In this talk, we first review Eckersley's Panopticlick, the first well known fingerprinting effort, and then
examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. We also report on a large scale crawl, aimed towards the discovery of popular websites that currently make use of fingerprinting.

At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.