Home / Blog

New attacks make it easy for hackers to take away and spoof Digital Fingerprints

Jason Li
Sr. Software Development Engineer
Skilled Angular and .NET developer, team leader for a healthcare insurance company.
November 05, 2021

While fingerprinting has been a privacy-intrusive technique for users, it can pose a "potentially devastating and hard-to-detect threat" to user’s security. That’s why academic professionals from U.S. University developed a new fingerprint-capturing and browser-spoofing cyber attack dubbed Gummy Browsers. They forewarn how easy the attack is to carry out and the dangerous implications it can have.

New attacks make it easy for hackers to take away And spoof Digital Fingerprints

Gummy browsers

The 'Gummy Browsers' attack is the method of capturing a person's fingerprint by converting them to visit an attacker-controlled website and then using that fingerprint on a target platform to spoof that person's identity. Gummy Browsers attack pursues a pattern where a victim is intent on access a malevolent website, so this would be the moment when pirates could get their fingerprints. Having this, cyber crooks can go to a target platform for the sake of perform identity spoofing.

Gummy Browsers can remain veiled and hidden to the targeted user and the targeted website. Since the capturing and spoofing of the browser attributes is done fully translucently and vaguely, Gummy Browsers can be launched smoothly and efficiently without being noticed by the user or the website.

In this view, given the fact that browser fingerprinting methods are getting dispensed widely in the real world, Gummy Browsers can have a annihilating and lasting effect on the online privacy and safety of the users. Capturing the victim’s fingerprinting data just once allows the attacker to spoof the victim for a prolonged period of time. The process can be repeated for further effect. Given the fundamental nature of the attack, it would be very tough to defeat.

The essential component of Gummy Browsers is the capacity of the cyber crooks to spoof the victim’s browser fingerprint so that the cyber crooks can present its own browser as if it is the victim’s browser in the face of the web service. Researchers generated by means of already prevailing scripts or customs ones a user fingerprint. Then they designed three techniques to get the user spoofed on different websites

Method 1: Script Injection

Script injection is safety vulnerability, a perilous security threat that enables an attacker to inject malevolent code in the user interface elements of your Web form of data-driven Web sites. Java script is one of the most well-known technologies and is most frequently used for web pages and web applications. It can be used for realizing different website enhancements.

However, this technology can bring some safety problems, which the developer and tester should be awake about. Java script can be used not only for benign intentions but for some malevolent attacks too. One among that is Java script Injection. The substance of JS Injection is to inject the Java script code that will be run from the client-side.

In browser fingerprinting, when the browser loads a website, the website carries out scripts composed of various JavaScript API calls to remove the browser information. To spoof fingerprint, the values excavated by the JavaScript API calls suppose to be altered before the search engine carries out the scripts inserted in the website. The objects where these excavated values are stored can be overwritten by creating a new object with the same name and constructor as that of the original JavaScript APIs.

Method 2: setting the browser and tool debugging

These strategies are useful if browser attribute change is desired, the attribute can be amended into any customized value. These will have an effect firstly on the JavaScript API and secondly on the matching value from the HTTP header. These tools are also helpful for working with large CSS files and projects that you may be unfamiliar with. It even has a built-in element for validating the syntax of the page and helps you locate the possible errors.

Many of the browsers proffer an apparatus in the form of the browser setting and the debugging tool that allows its users to alter various attributes of the client device and the browser. For example, cookies, local storage and “do not track” options can be permitted or crippled simply through the browser setting in the Google Chrome browser and the “about:config” page in the Firefox browser. Further, about:config page in the Firefox browser permits the user to draft his own APIs that can overwrite the browser’s predetermined APIs. This method can totally change the browser’s attributes.

The browser also tenders a debugging tool designed for web application developers that allows them to debug and strengthen their web application functionality. By the use of debugging tool, various browsers attributes, encompasses geo location, user-agent and caches disabled can be changed quickly. The alterations affect both the JavaScript API (e.g., navigator.userAgent) and the corresponding value in the HTTP header (e.g., the value of user-agent field). The debugging tool permits the modifications on the browser’s attributes to any custom value, whether it is a pre-defined valid string, or a random text.

Method 3: Modifying the script

Altering the scripts placed in the website before they are transferred to the web server to modify the browser properties with faked values. Once the inserted scripts have extorted the browser data, they can be altered before the website sends it to the web server. Applying the developer debugging tool, a breakpoint can be set at the debut of each script of the website so that the scripts’ execution gets stopped at the set breakpoint.

By examining the inserted scripts, the JavaScript API expression can be substituted with the tricked values. As an illustration, platform =navigator.platform can be substituted with platform =‘‘Win32′′ that reveals the underlying platform of the device as Win32, rather than the actual platform. Despite, each API expression should be modified very cautiously as the use of an erroneous expression (i.e., its value and format) can warn the web service and the modifications can fail.

Most web services or websites utilize JavaScript obfuscation on the scripts, instead of the native ones. The objective of using obfuscation is to make the scripts tricky to comprehend. JavaScript Obfuscator Tool is an example of such obfuscation techniques. JavaScript obfuscation can indeed make script alteration tougher than native scripts. However, there are JavaScript deobfuscation techniques that can help us to get native scripts. A previous study and deobfuscation service have shown that deobfuscation can work. So obfuscated scripts will not pose a problem in script alteration.

Fingerprinting Systems can be fooled

As the scholars indicated in the paper they published, they managed to deceive fingerprinting systems such as FPStalker and Panopliclick after a one-time victims’ fingerprinting capturing.

The Threat Is Authentic

The menace of a Gummy Browsers attack is real, the identity spoofing can ascertain a script to be confused to a human, making it seem like this is not a bot. Authentication services normally have specific safety features intended to check if a user is authentic or not. Let’s take Oracle, Inauth, or SecureAuth IdP for example. The Gummy Browser attack may be used as a means to evade these kinds of safety checks. In this regard, SecureAuth IdP for instance can be made not to use MFA if a legitimate fingerprint is discovered.

Threats of Stolen Fingerprints

With the expansion in fingerprint and biometric authentification proceedings, stolen digital fingerprints have become one of the crucial targets of cyber crooks. Threat actors even trade stolen credentials along with fingerprints on various dark net forums, permitting cyber crooks and affiliates to perform scams and frauds.

Scholars recently demonstrated that it’s feasible to fool fingerprint scanners using artificial intelligence to make replica prints that can beat the system. So one day, sophisticated computers might be able to recreate any features to fool biometric security systems into letting an impostor through. But for now, if biometric service purveyors would take some sheer steps to make their data safer, we could more avoid breaches that will eventually make these systems outdated.

The Digital Fingerprints and its uses

A digital fingerprint is a rare online identifier connected with a particular user based on an amalgamation of a device's characteristics. These characteristics could encompass a user's IP address, installed applications, browser and OS version, cookies, active add-ons, and even how the user moves their mouse or types on the keyboard.

Websites and advertisers can utilize these fingerprints to confirm a visitor is a human, target advertising, or track a user between sites. Fingerprints are also used as part of some verification systems, allowing MFA or other safety features to be conceivably bypassed if a valid fingerprint is detected. Digital fingerprints are so beneficial that they are sold on dark web marketplaces, permitting threat actors and scammers to spoof users' online fingerprints to take over accounts more smoothly or escort ad fraud.


As browser fingerprinting is becoming more commonly known, the repercussions of the Gummy Browsers threat are really hazardous. It permits attackers to bypass security solutions used for validating users. Thus, safety teams must work toward remedies to stop such attacks. The researchers warned that the Gummy Browsers attack could have a lasting impact on users' online privacy and safety as browser fingerprinting continues to expand in adoption in the real world.