Accurate cross-browser fingerprinting is possible, researchers show

A group of researchers have come up with a browser fingerprinting technique that can allow interested parties to “identify” users across different browsers (on the same machine).

The group – Yinzhi Cao and Song Li from Lehigh University, and Erik Wijmans from Washington University in St. Louis – found that many novel OS and hardware level features, such as those from graphic cards, CPU, and installed writing scripts, can be used to accurately “fingerprint” users.

“Our evaluation shows that our approach can successfully identify 99.24% of users as opposed to 90.84% for state of the art on single-browser fingerprinting against the same dataset,” they noted.

They have proposed and successfully tested a number of cross-browser fingerprintable features, including screen resolution, the number of CPU virtual cores, list of fonts, installed writing scripts, and more.

They extract those features by asking browsers to perform tasks that rely on corresponding OS and hardware functionalities.

They found these fingerprintable features to be highly reliable – the removal of a single feature has little impact on the fingerprinting results. Also, that software rendering can be definitely used for fingerprinting.

Currently, the only way to prevent the collection of most of these features is to use the Tor Browser.

“Tor Browser normalizes many browser outputs to mitigate existing browser fingerprinting. That is, many features are unavailable in Tor Browsers—based on our test, only the following features, notably our newly proposed, still exist, which include the screen width and height ratio, and audio context information (e.g., sample rate and max channel count). We believe that it is easy for Tor Browser to normalize these remaining outputs,” they noted.

“Another thing worth mentioning is that Tor Browser disables canvas by default, and will ask users to allow the usage of canvas. If the user does allow canvas, she can still be fingerprinted.”