Gummy Browsers attack allows you to spoof the user's identity

[Teacher]

By luring a victim to a website under his control, the attacker creates a digital fingerprint of the victim and uses it for illegal activities.

American scientists have presented a new method called Gummy Browsers, with which you can create a "cloned" digital fingerprint of a user by copying the characteristics of his browser. To do this, the attacker needs to lure the victim to a website under his control and create his digital fingerprint, which can then be used to spoof identity on different platforms, illegal activity, bypass two-factor authentication, etc.

As part of the study, specialists have developed the following methods of substituting personality on various sites:

• Script Injection - Spoofing a user's digital fingerprint by executing scripts (using a Selenium tool) that add values extracted from JavaScript API calls.
• Browser Configuration and Debugging Tools - Both tools can be used to change browser attributes to any value, which will affect the JavaScript API and the corresponding value in the HTTP header.
• Script modification - changing browser properties by modifying scripts embedded in a web site before sending them to the web server.

Using the Gummy Browsers method, experts were able to trick digital fingerprint tracking systems such as FPStalker and Panopliclick.

“The results showed that Gummy Browsers can successfully simulate the victim's browser without affecting the tracking of other users. Since the acquisition and spoofing of browser characteristics go unnoticed by both the user and the remote web server, the [attack] Gummy Browsers can be easily launched, but it will be difficult to detect it, ”the researchers noted.

 

[Teacher]

Gummy Browsers - a new way to take a digital fingerprint of the victim

Security researchers have come up with a new digital fingerprinting and browser spoofing technique. This cyberattack vector, dubbed Gummy Browsers, is easy enough to use in real attacks, experts warn.
As you know, a digital fingerprint is obtained based on a number of characteristics of the user's device: IP address, browser and operating system version, installed applications, add-ons, cookies, and even the method of entering text from the keyboard or mouse movements.
Website owners and various advertising companies can use digital fingerprints to distinguish people from bots, as well as to track visitor activity on the web. All the collected information then helps advertisers to "slip" relevant ads to users.
In addition, a digital fingerprint can be used in authentication systems. For example, in some cases, you can do without 2FA if the system detects a certain digital fingerprint and thus recognizes the account owner.
That is why such prints are a fairly hot commodity on cybercrime forums on the dark web. If a conditional attacker buys a couple of these fingerprints, he will be able to gain access to user accounts.
A new vector of attack - Gummy Browsers - is based on the idea that the victim must first be lured to a specific website, which will remove all the information necessary for a digital fingerprint. Further, this data can be used at the discretion of the attackers.

Cybercriminals can take three steps to "present themselves" as an attacked user on other resources, as described by experts:

1. Script injection, where data is retrieved using JavaScript API calls.
2. Browser settings and built-in developer tools can be used to change attributes.
3. Modifying the script allows you to change the browser values and the code embedded in the website before it is sent to the server.

The report (PDF) of experts argues that this method does not arouse any suspicion in the victim, although at this time a potential attacker steals her digital identity. The researchers also warned that real cybercriminals could easily use Gummy Browsers in attacks.