Although the name seems innocuous, attackers can use Gummy Browsers attacks to spoof your identity to impersonate you and gain access to applications by stealing and manipulating your browser “fingerprints”
On Oct. 21, 2021, U.S. security researchers from Texas A&M University, College Station, and the University of Florida, Gainesville, discovered a new method of cyberattack, which they call “Gummy Browsers.” In their research paper, researchers Zengrui Liu, Prakash Shrestha, and Nitesh Saxena demonstrated how they were able to successfully defraud servers by stealing users’ digital fingerprints.
Let’s explore what digital fingerprinting means in layman’s terms, how this attack has been executed, and the potential consequences of a Gummy Browsers attack.
What Is a Browser Fingerprint?
Before exploring the Gummy Browsers attack, let’s quickly understand what browser fingerprints are. When we talk about browser fingerprints, it’s not the actual print of your fingers we’re referring to — it’s the information about your device that browsers store to create a profile of you.
Whenever you connect to a server belonging to a website or app, it uses the information stored in the browser to identify and learn more about you. Browser fingerprinting is a controversial information-collecting technique for some, and the pros and cons are often weighed depending on which side of the conversation you sit on. Security companies like it because it can be used for security purposes, but as you’ll soon discover, it can also be used to thwart some security measures. Users and privacy advocates don’t like it because of privacy-related concerns.
A ’browser’s fingerprints may include a wide variety of information, including:
- Browser version
- Browser extensions and add-ons
- System properties (such as device model, operating system, screen size, and screen orientation)
- Browsing history
- Mouse movements and keyboard actions
- Type of fonts
- Password autofills
- Display aspect ratio
- Graphics driver, graphics card, or graphics processing unit information
- The ’device’s hardware ID
- Device time zone
For example, suppose you visited amazon.com, added a pair of shoes to your cart, then left the website. Your browser will store all this information. Now, the next time you visit amazon.com, it will access your browsing fingerprints and show you the shoes added to your cart on your last visit. Plus, when you surf other websites, you’ll see advertisements for shoes.
What Is a Gummy Browsers Attack?
Gummy Browsers is an account-hacking technique that uses browser fingerprinting data to spoof the identity of a user. This entails an attacker using spoofing methods to replicate your digital fingerprint to make the browser think that they’re you.
In their study, the researchers used the technique to exploit browser fingerprints and spoof the servers of websites and apps. Based on their results, they claim that attackers could use Gummy Browsers to impersonate the original user (i.e., you) to gain access to their data and accounts.
How Does a Gummy Browsers Attack Work?
All of this likely leaves you wondering how a Gummy Browsers attack works. Here’s a diagram that the researchers included in their article:
Image source: The Gummy Browsers research article by Liu, Shrestha, and Saxena.
Let’s break down Gummy Browsers attacks into four steps:
Step 1: Attackers use phishing and social engineering tactics to lead you to a website they control. This could be a dummy site or a reputable site that they’ve hacked.
Step 2: They then collect your browser fingerprints without your knowledge or consent (i.e., they steal it).
Step 3: Next, attackers use one of the following methods to manipulate their own browser fingerprints to impersonate you:
- Script injections
- Browser settings and debugging tools
- Script modifications
Step 4: Attackers connect to the target website and let the server access their phony browser fingerprints (i.e., the fingerprints that are designed to make them appear to be you). The target website misrecognizes the attacker as authentic, giving them access to your account. This means that an attacker can do everything you normally do once you’re logged into your account.
Example of Gummy Browsers Attack
Let’s say you see an advertisement online “50% discount on iPhones.” You click on it and are redirected to appple.com (instead of apple.com), which is a fraud site created by hackers. They collect your browser fingerprints while you’re on the site.
The attackers use the tools and scripts stated above and manipulate their own browser fingerprints to appear as yours. Now, the attackers connect to apple.com and present themselves as you with the same browser fingerprints. This allows them to authenticate as you (the legitimate user) to gain unauthorized access to your account and other sensitive data.
Say, you visit apple.com regularly. So, apple.com will misrecognize the attacker as you, and show them all the products based on your search preferences and behaviors. Plus, it might allow auto-login and let an attacker access your account where they can view the following types of information that might be stored or related to your account:
- Purchase history,
- Payment card details,
- Buying habits, and
- Other personal details (like name, phone number, email address, physical address, etc.).
Dangers of Gummy Browsers Attack
There isn’t any evidence indicating attackers are already using this trick, but according to the researchers, Gummy Browsers attacks are quite easy to perform for even a novice hacker. But what does all of this mean for you in terms of cyber security risks?
Privacy: These attacks can violate internet users’ privacy. The attacker sees all the advertisements targeted at the victims. They may also be able to extract information that they use for identity theft or sell to hackers, advertisers, or competitors of the targeted website, including:
- Gender,
- Age group,
- Income category,
- likes and preferences, and
- Habits.
Authentication: As the attacker’s browser has the same fingerprints as the victim’s browser, the website might allow the attacker to exploit the legitimate user’s auto-login capabilities. That means the attacker can bypass the authentication mechanism and get unauthorized access to the victim’s online accounts.
Fraud detection: Servers generally use some fraud detection techniques to make sure they have connected to the right user. However, their technology generally relies on the browser fingerprints of the users. But with these attacks, the browser fingerprints themselves are manipulated. So, attackers can bypass such fraud detection technology used by servers.
Summary of Gummy Browsers Threat
With a Gummy Browsers attack, hackers steal an internet user’s browser fingerprints and make a duplicate version of it in their own browser. To perform a Gummy Browsers attack, the hacker must first get the victim to visit a website controlled by the hacker. The victims, both the user and the website’s server, remain unaware of this spoofing.
An attacker can bypass fraud detection technology and authentication mechanism using the Gummy Browsers method. It is easy to execute and there aren’t yet any techniques developed to defend against this threat for applications that use browser fingerprinting data for authentication.
Gummy Browsers is dangerous because it compromises victims’ privacy and security and puts them at the risk of identity theft. The impact of a Gummy Browsers attack could be long-lasting for the victim, and the discovery of this type of attack raises the question of whether the current reliance on browser fingerprinting is safe.