Cybersecurity experts discover new kinds of cyberattacks more often as threat actors continue to evolve their hacking techniques. Security researchers from A&M University and the University of Florida recently uncovered a new fingerprint capturing and browser spoofing attack that compromises users’ privacy and security. Dubbed as Gummy Browsers, the attack harvests the browser fingerprinting information without the victims’ knowledge.
What is a Gummy Browsers Attack?
According to the research, the Gummy Browsers attack primarily focuses on obtaining users’ fingerprint details by tricking them into visiting a hacker-operated website. The attackers then spoof the fingerprint to use it on other targeted platforms. The Gummy Browsers attack technique enables a threat actor to disrupt any web application with browser fingerprinting.
Once the attacker obtains the victims’ fingerprints, it can be leveraged to:
- Bypass 2FA and MFA authentications
- Spoof users’ online fingerprints to steal identity and conduct frauds
- Steal personal data by breaking into user devices
Fingerprint Spoofing Methods
The researchers revealed three methods that could be used to spoof the users’ fingerprints online. These include:
- Script Injection– In this method, attackers spoof victims’ fingerprints by injecting scripts extracted by the JavaScript API calls.
- Browser Setting and Debugging Tool– Attackers manipuate the browser settings and the debugging tool that enable one to alter various attributes of the client device and the browser.
- Script Modification– Changing the browser properties by modifying the scripts embedded on the website before it sends it to the webserver.
Risks of Stolen Fingerprints
With the increase in fingerprint and biometric authentication procedures, stolen digital fingerprints have become one of the primary targets of cybercriminals. Threat actors even trade stolen credentials along with fingerprints on various darknet forums, allowing cybercriminals and affiliates to perform scams and frauds.
“Our results showed that Gummy Browsers can successfully impersonate the victim’s browser transparently almost all the time without affecting the tracking of legitimate users. Since acquiring and spoofing the browser characteristics is oblivious to both the user and the remote web server, Gummy Browsers can be launched easily while remaining hard to detect. The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser fingerprinting is starting to get widely adopted in the real world. In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale,” the researchers said.
