Browser Extension and Login-Leak Experiment

Frequently asked questions

General questions

How does the detection techniques work?

You can learn more here about how these detection techniques work.

How to protect my self, how can I avoid such kind of tracking?

You can learn more about the self protection here.

What is the browser fingerprint?

It is an identifier is based on the properties of your browser or system, like what is your screen resolution or what fonts you have installed. The most well known (and problably first) demonstration of browser fingerprints was the Panopticlick experiment by EFF. There are others, like Am I unique?, and we also had an experiment on cross-browser fingerprinting.

What is this strange name and robot avatar all about?

We use fingerprintjs2 to detect your browser's properties. It also generates an identifier, which we use as an experiment identifier for your browser, based on which the avatar is generated for you. It is just easier to remember for most of us.

The test misteriously stopped and it seems never wants to finish. Why?

To run the test with proper results, it is proposed to have a good network connection. Otherwise hangs may be expected both for the extensions and the login detections.

Do you have any materials for the press?

Sure, here is a post covering most aspects of our experiment, here are some screenshots.

Extension detection

I don't see all the extensions that I have installed. Why is that?

Extensions can only be detected if they have web accessible resources. Some extensions have such resources while others don't. During our experiment, we have found around 13 000 extensions that have web accessible resources out of 47 000 extensions tested.

Could this work in other browsers, too?

Yap. For example, to a very limited extent extension detection also works in Firefox. However, we decided not to include it due its instability.

But for Firefox, there are other leaks that should be considered: this method lets websites decide if you are using Tor Browser or not.

Inspired by our experiment, Manuel Caballero wrote an interesting post on how to do the same attack in the Edge browser.

What Chrome extensions are detected currently?

We have 12497 extensions on our list to be detected. You can search them the list below. By clicking on the name a new tab will be opened with the extension in the Chrome extension store.

  Load extension list

Web login detection

What is this web login detection about?

If you are logged into a social media service or other sites, it is possible for other websites to detect this. If you are logged into a social media service, it is possible for other websites to detect this. For example, we check whether you are logged into Gmail, Facebook and Twitter. Notice that the social media leak works only if your browser accepts third-party cookies. While it seems that major social media companies don't care about this, we think this is still an issue: using the presence information bit-by-bit could be used for tracking.

Results for the web logins are not correct. Why?

Well, there can be several reasons to have that. If you have Ghostery or Disconnect enabled, the results you see here may be not correct, and the test will not work if you have third party cookies blocked. In addition, we are working with a closed list of sites to be detected – perhaps the one you consider was not on it.

The test says that my results might not be correct due to a browser bug. What is this exactly?

We observed that in some cases the CSP violation is not correctly sent or delayed. When we observe such a phenomena during the test, we mark results based on CSP violation as likely to be incorrect. We'll disclose more details on the nature of the problem later.

Why do I get strange behavior if I change the user agent string?

We tailored our experiment to browsers, as they behave differently regarding the tools we use in our experiment. For example, if there is a CSP violation all browser push a notification immediately to the user console. However, while Safari and Firefox also call the report uri immediately as well, Opera and Chrome do this after some delay (we observed such delay around 1-6 secs), or another difference: Safari never fires the onload/onerror events for images which were violating the CSP constraints. So, by changing the user agent string, you can get strange results because of these differences. However, don't expect too much privacy from such changes, malicious websites might detect the brand of your browser by other means.

What sites will my browser make a connection to during the login check?

We are currently checking these sites. Plus we make a control visit to, in order to know if CSP violation reports are delivered.

      Back to the main page

    Browser Extension and Login-Leak Experiment – © 2019 all rights reserved – Website designed by Gábor Gulyás