A "potentially devastating and hard-to-detect threat" could be abused by attackers to collect users' browser fingerprinting information with the goal of spoofing the victims without their knowledge, thus effectively compromising their privacy.
"The idea is that the attacker 𝐴 first makes the user 𝑈 connect to his website (or to a well-known site the attacker controls) and transparently collects the information from 𝑈 that is used for fingerprinting purposes (just like any fingerprinting website 𝑊 collects this information)," the researchers outlined. "Then, 𝐴 orchestrates a browser on his own machine to replicate and transmit the same fingerprinting information when connecting to 𝑊, fooling 𝑊 to think that 𝑈 is the one requesting the service rather than 𝐴."
Browser fingerprinting, also called machine fingerprinting, refers to a tracking technique that's used to uniquely identify internet users by gathering attributes about the software and hardware of a remote computing system — such as the choice of browser, timezone, default language, screen resolution, add-ons, installed fonts, and even preferences — as well as behavioral characteristics that emerge when interacting with the web browser of the device.
Thus in the event the website populates targeted ads based on only the users' browser fingerprints, it could result in a scenario where the remote adversary can profile any target of interest by manipulating their own fingerprints to match that of the victim for extended periods of time, all the while the user and the website remain oblivious to the attack.
Put differently, by exploiting the fact that the server treats the attacker's browser as the victim's browser, not only would the former receive same or similar ads like that of the impersonated victim, it also allows the malicious actor to infer sensitive information about the user (e.g., gender, age group, health condition, interests, salary level, etc.) and build a personal behavioral profile.
In experimental tests, the researchers found that the attack system achieved average false-positive rates of greater than 0.95, indicating that most of the spoofed fingerprints were misrecognized as legitimate ones, thereby successfully tricking the digital fingerprinting algorithms. A consequence of such an attack is a breach of ad privacy and a bypass of defensive mechanisms put in place to authenticate users and detect fraud.
"The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser-fingerprinting is starting to get widely adopted in the real world," the researchers concluded. "In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale."