If one sure thing exists in the security and privacy area, it’s that cybercriminals will always find ways to use technological advances against users. With the internet as a fundamental communication and commercial technology, data derived from users’ online activities has become more important to businesses and organizations. Most companies use browser fingerprinting for legitimate reasons. However, a rise in privacy concerns has sparked new browsers that protect people from having their fingerprints detected.
Unfortunately, malicious actors can use both the browser fingerprinting technologies and the anti-detection technologies to circumvent security controls like authentication and bot detection technologies.
By understanding what browser fingerprinting and browser fingerprint spoofing are, organizations can work to protect themselves from these new cyber risks.
What Is Browser Fingerprinting?
Browser fingerprinting uses browser settings and attributes as features that identify a user’s device. Every time a person visits a website, the browser sends information that includes:
- Browser type and version
- Operating system
- Active plugins and extensions
- Time zone
- Language
- Screen resolution
- System fonts
- Keyboard layout
- Tor browser being used
- Sensors
- Navigator properties
- User agent
Recently, researchers discovered cross-browser fingerprinting, a technique that combines device and browser fingerprinting to identify users across multiple browsers.
How Does A Browser Fingerprint Work?
Every time a browser makes a request to a website, a snippet of JavaCode collects and shares the browser data as part of the communication process. Using these code templates that automate various functions, the website collects openly shared data. When the website’s code is executed, it collects data and stores it in a hash function that turns text, images, and audio into standardized data values.
Several open-source browser fingerprint libraries exist, including:
- FingerprintJS
- ImprintJS
- ClientJS
Understanding How Anti-Detect or Anti-Fingerprinting Browsers Work
Legitimate reasons for browser fingerprinting exist, like enabling marketing, preventing fraud, or detecting botnets. However, since browser fingerprints collect and share a lot of nonpublic information, many people exhibit privacy concerns. To protect themselves online, they started using anti-detect or anti-fingerprinting browsers.
Although similar to typical browsers like Chrome and Firefox, these browsers enable people to customize their digital fingerprints. Users create profiles within the browser, then apply:
- Generalization: changing how the browser shares information to make the user’s browser seem generic
- Randomization: periodically changing the attributes so that website’s can’t reliably link information to the user’s browser data
Gummy Browsers: Browser Fingerprint Spoofing
Browser fingerprinting and how anti-fingerprinting browsers work is fundamental when trying to understand how browser fingerprint spoofing works. With browser fingerprint spoofing, malicious actors collect the identifiable browser information then use it to impersonate the legitimate user. Two types of browser fingerprint spoofing attacks exist.
In 2021, researchers identified a browser fingerprint spoofing attack methodology that they named Gummy Browsers.
Gummy Browsers Spoofing Methods
The research team listed the following three methods for spoofing the browser’s fingerprint:
- Script injection: using a browser extension to load and execute website scripts before loading the website so that the malicious actors can overwrite the browser properties and pretend to be the legitimate user
- Browser setting and debugging tool: using the browser’s debugging tool intended for web application developers to change the browser settings and attributes to any custom value
- Script modification: combining the debugger tool capabilities with a website’s embedded scripts to input fake values
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Obtaining the Fingerprint
Gummy Browsers can obtain the browser fingerprint in two ways:
- With JavaScript: using Application Programming Interfaces (APIs) similar to how websites collect data which can be transparent to the user
- Without JavaScript: retrieving data from supported languages, HTTP headers, and fonts
Implementing the Attack
Finally, malicious actors can implement the attacks in two different ways:
- Visual attack: using the browser information libraries and identifying browser settings that they can use t change attributes through script injection or script modification
- Algorithm attack: attacking browser fingerprinting algorithms to acquire a version of someone’s browser fingerprint then using that fingerprint
Gummy Browsers Data Protection Implications
Since websites process browser fingerprinting on the backend, malicious actors can potentially undermine security and privacy in three ways:
- Compromise ad privacy: pretending to be a user to collect sensitive information from ads, like location and habits, then sell it on the dark web
- Defeat user authentication: combining the spoofed fingerprint with stolen credentials to overcome website authentication controls that remember a browser
- Bypass fraud detection: impersonating someone’s browser to perpetuate fraud since the prevention technologies frequently use browser fingerprints
Bot Attacks: Browser Fingerprint Spoofing at Scale with Anti-Detect Browsers
Since anti-detect browsers enable people to set their own configurations, malicious actors can use them to mimic their victim’s browser fingerprint. Malicious actors can purchase infostealer malware, like the RedLine Stealer, in dark web markets like the Genesis Market.
The stolen browser fingerprints typically contain:
- Credentials
- IP addresses
- Cookies
- System details
Armed with this information, cybercriminals can customize the anti-detect browser’s configurations, including metadata like:
- User agent strings
- Headers
- Screen size
- Device name
- WebRTC
- JavaScript version
- Plugins
- Fonts
- Mimetype
Modern bot detection and anti-fraud systems typically use browser fingerprints to identify suspicious or fraudulent traffic. When malicious actors use anti-detect browsers and purchase browser fingerprints, these technologies get “tricked” into considering them as real users, enabling them to go undetected and deploy successful attacks.
Flare: Generative AI for Threat Monitoring
Since monitoring for browser fingerprint spoofing requires technical knowledge, organizations can use Flare’s generative AI to help mitigate risks. Flare’s AI Powered Assistant takes complex technical alerts and explains them in ways that enable senior security professionals to work faster while giving junior analysts the context they need to respond to alerts.
Using Flare’s automated cyber threat intelligence, analysts can seamlessly translate Russian, Arabic, Spanish, French, and other languages found in threat actor forum posts. Cyber threat intelligence and security operations teams gain visibility into and context around events, enabling them to effectively leverage intelligence and reduce risk. With Flare’s AI Powered Assistant, organizations can monitor the ever-increasing attack surface by optimizing threat intelligence garnered from illicit Telegram channels, public GitHub repositories, archived dark web data, paste sites, infected device markets, and the clear web.
To get started with Flare in just 15 minutes, try a free trial.