Chromium extensions are unintentionally exposing an exploit that can be used for advanced browser fingerprinting. In this article, we’ll demonstrate how we managed to create a unique visitor identifier using the last modified timestamps of extension files.
To illustrate the issue, we prepared a demo that works in all Chromium-based browsers such as Google Chrome, Opera, or Microsoft Edge.
DISCLAIMER: Fingerprint does not use this technique in our products, and we do not provide cross-site tracking services. We focus on detecting and preventing fraud and supporting modern privacy trends for removing third-party tracking entirely. We support open discussions about such techniques to help internet browser providers fix them quickly.
When a user wants to install an ad blocker or a password manager onto their Google Chrome browser, they download an extension from the Google Web Store. This extension is typically an archive of files saved locally on their computer.
Each file of your computer’s file system contains useful metadata, such as its size and precise time of last modification. In the case of extensions, the last modification timestamp reflects the specific time when the extension was installed.