There are a lot of shady websites, on the Internet, that steal your data and identity and sell them off to marketers. These websites use browser extensions and login-leaks to secretly steal your information. They are mostly invisible, and it is pretty tough to track them with basic tools. This Inria Browser Extension and Login-Leak Experiment Tool helps you easily track who is keeping an eye on you, with just the click of a button.
Browser Extension and Login-Leak Experiment Tool
The process involves sharing your browser fingerprint with the website, together with the browser extensions installed and a list of websites you have logged in. Inria only collects anonymous data during the experiment securely stores the data on an in-house server. This data is solely used for research purpose and not shared with anyone outside of Inria. It also requires you to allow third-party cookies in your browser.
How Does The Detection Process Work
1] Redirection URL hijacking
This part of the process involves exploiting the websites you have already logged in on. When trying to get access to a secure web resource, the website redirects you to the login screen when you haven’t logged in. This is because the URL is remembered by your browser to help manage future interactions. This is where Inria’s trick comes in: it changes this specific URL, so you’ll land on an image if already logged in.
More technically speaking, if an
<img> tag is embedded and pointed towards the login page with the changed URL redirection, two things can happen. If you are not logged in, this image will fail to load. However, if you are logged in, the image will load properly, and this can be detected quite easily.
2] Abusing Content-Security-Policy violation for detection
Content-Security-Policy is a security feature designed to limit what the browser can load on a website. This mechanism can be used by Inria for login detection, if there are redirections between subdomains on the target site depending on whether you are logged in or not. Similarly, an
<img> tag can be embedded and pointed toward a specific subdomain on the target website, which could be detected if the page loads or not.
Prevention of browser attacks
While there is not a lot much to do against these invisible attacks, it is still advisable to use a Firefox browser mostly because while it can be exploited, there have been very few incidences of Firefox browsers being hacked into by these virtual thieves. On the other hand, there are still effective solutions against web login detections, including disabling third-party cookies in your browser or using extensions like Privacy Badger to do the task for you.
Test your browser here at extensions.inrialpes.fr. The test supports Chrome, Firefox and Opera browsers only.