Processor type, IP address, browser in use, installed fonts—by collecting these and other characteristics of browser settings and the underlying operating system, it is possible to create a highly detailed and, in some cases, even unique profile of users. This phenomenon is known as browser fingerprinting.
A study by CISPA researcher Leon Trampert and colleagues now suggests that this tracking method can be applied not only when browsing the web but also in emails, through a previously underexplored method: the use of CSS (cascading style sheets), markup for designing websites.
Even in a large group of website visitors, you are likely uniquely identifiable. Why? Wherever the programming language JavaScript is in use—which is virtually the entire web—specific attributes of your devices and their settings can also be collected. These details are primarily intended to help web developers create better user experiences and functionalities.
But as always, knowledge is power, and not everyone wants this knowledge about them to be out in the world.
“By now, fingerprinting via JavaScript is pretty well known. People particularly concerned with privacy can protect themselves by blocking JavaScript. This can be done either with plugins or by using the Tor browser. For example, this can be useful for journalists afraid of persecution,” explains Leon Trampert.
Modern CSS leaks data
Where one door closes, another opens—and the same seems true for fingerprinting. “Researchers recently discovered that information about users can also leak through the use of CSS,” says Trampert. CSS (short for cascading style sheets) ensures that text, images, and menus are displayed correctly, determines fonts, colors, and the sizes of elements on websites, and allows views to adapt to different screen sizes.
“CSS has become increasingly popular and has gained many new functions in recent years. Some of these have already been analyzed by research colleagues for their potential to violate privacy. However, a holistic review was still missing.”
So, a few months ago, Trampert decided to systematically study modern CSS functions. “We wanted to see how much we could uncover with it and whether CSS allows tracking outside of the web as well.”
Telltale fonts
Trampert examined multiple fingerprinting approaches and identified three techniques for creating user fingerprints using CSS.
“We initially analyzed 1,176 combinations of browsers and operating systems with various settings and were able to infer the users’ systems in 97.95% of cases. Installed fonts, for instance, can be revealing. They provide clues about the browser, operating system, and installed programs,” Trampert explains.
The researchers identified the fonts with a few tricks. “We can’t see this information in plain text, but we can, for example, measure the heights and widths of words by exploiting certain otherwise useful CSS functions. From this, we can infer not just the font but also the system language,” says Trampert.
CSS enables tracking beyond the web
Even more exciting for him was testing email applications. While JavaScript is often blocked by default in many email clients, the use of CSS remains largely unrestricted.
“We tested 21 email clients, including Android, iOS, desktop, and web-based clients. In nine cases, we were able to apply all our techniques successfully and gather information about the users. Eighteen of the 21 email clients were vulnerable to at least one of the techniques,” Trampert explains.
According to Trampert, this could open up entirely new threat scenarios. “For example, attacks could aim to link web sessions of visitors to their email accounts or identify all email addresses of specific users,” he explains.
What now?
Anyone browsing the web is already being measured involuntarily due to tracking cookies and JavaScript.
“Nevertheless, it is important to demonstrate what technical possibilities exist and where new opportunities for abuse arise—as seen here, suddenly even in email programs. Only then can we develop robust defense mechanisms,” says Trampert.
The Ph.D. student conducts research at CISPA, supervised by CISPA faculty Dr. Michael Schwarz and Prof. Dr. Christian Rossow, and intends to continue working on email security issues in the future.
More information:
Leon Trampert et al, Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for Email and Browser Fingerprinting, (2024). DOI: 10.60882/cispa.27194472.v2
Provided by
CISPA Helmholtz Center for Information Security
Citation:
Digital fingerprint: Cascading style sheets leaves users vulnerable to tracking (2025, January 3)
retrieved 3 January 2025
from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.
