Home Cyber Attack Gummy Browsers – An Attack Exploiting Browser Fingerprinting

Gummy Browsers – An Attack Exploiting Browser Fingerprinting

by Abeerah Hashim
Gummy browsers attack

While browser fingerprinting has long been a privacy-intrusive technique for users, it can now pose a direct threat to users’ security. That’s because researchers have devised a new attack strategy “Gummy Browsers” that exploits fingerprinting by spoofing the target users’ browsers.

Gummy Browsers Attack Trick Browser Fingerprinting

A team of researchers from Texas A&M University and the University of Florida has shared details about how browser fingerprinting can risk users’ security.

Briefly, browser fingerprinting is a common user tracking approach that different apps and websites use to identify and track visitors. For this, the apps or websites log users’ device and browser details, IP addresses, system information, and more. They then track the users’ browsing habits and interests and build a profile by linking all this data.

This profile potentially includes identifiable user information that an adversary can exploit. That’s what the researchers have demonstrated in their recent study.

How it all works

As elaborated in a detailed research paper, the team has devised “Gummy Browsers” – an attack strategy that mimics web browsers. The idea is to bluff sites and apps using browser fingerprinting to get the target user’s data.

The idea is that the attacker 𝐴 first makes the user 𝑈 connect to his website (or to a well-known site the attacker controls) and transparently collects the information from 𝑈 that is used for fingerprinting purposes (just like any fingerprinting website 𝑊 collects this information). Then, 𝐴 orchestrates a browser on his own machine to replicate and transmit the same fingerprinting information when connecting to 𝑊, fooling 𝑊 to think that 𝑈 is the one requesting the service rather than 𝐴. As a consequence, if 𝑊 populates targeted ads for 𝑈 based on only browser fingerprints, 𝐴 can now start seeing the same or similar ads on his browser as 𝑈 would see. This will allow the attacker to profile 𝑈 and compromise 𝑈’s privacy.

In their study, the researchers successfully implemented the attack using three script injection-based techniques to mimic browsers. These include browser settings, debugging tools, and script modification.

Gummy Browsers attack model (Source: Liu et al.)

After that, they could easily validate the attack effectiveness by employing two fingerprinting algorithms, Panopticlick and FP-Stalker.

Such an attack can take place remotely without being detected. Also, it employs no cookies and merely relies on browser spoofing.

Once an adversary gets a victim’s browser fingerprints, the adversary can use it maliciously for a long period of time.

Potential Exploitability And Limitations

Given the accuracy of profiling and browser fingerprinting obtained, Gummy Browsers attack poses a serious real-world threat.

According to the researchers, the huge adaptation of browser fingerprinting globally now raises concerns about users’ online security.

The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser-fingerprinting is starting to get widely adopted in the real world. In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale.

Although, the present study has shown some limitations that may affect the attack efficiency. For instance, a change in browser fingerprints may result in partial accuracy of spoofed results. Still, the ease of execution of these attacks doesn’t make it difficult for an adversary to reprofile a target user.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid