9

A few days ago I was searching YouTube and I noticed an "outlier" video poped up in the suggestions list. This video had nothing to do with the topic being searched, but instead it was based on a previous search that was requested from this same computer two weeks ago.

This was impressive considering the situation difficulted fingerprinting. In particular:

  • I was not logged, nor was any other person in this machine, to YouTube nor any other Google service.
  • The browser is configured in "private" mode by default, so every cookie/storage/websql/indexeddb file is deleted when it is closed. This means whatever info they stored was backed up online.
  • The IP changes at least once each day, so hundreds or thousands of IPs would be associated with this geographical area. I'm almost sure they can only pin it down to the city level for what I have been able to observe in Gmail's account activity page for several users in this same area.
  • The user agent is nothing out of the common, as the browser regularly updates to the last version. In fact, this is not 100% verified but I'm pretty sure their profiling method is somehow resistant to IP and user agent changes.
  • Installed plugins are the usual ones, very common as well.
  • Same about installed fonts and screen resolution.

In fact there are more computers in the LAN with almost the same setup (OS/browser/plugins). And they share the same IP. How were they able to identify the correct one over a two weeks period of time beats me.

Only disabling scripts for the google.com domain solved it, at the expense of not being able to read the comments.

I've visited panopticlick's site and nothing shown in the table is unique to the point of tracking an individual user over time. However the page says the fingerprint is unique among 4 million, which is a number greater than the population of the geographical area (also in the order of millions).

Questions:

  1. Is there anything in the browser unique enough to identify a machine inside a large city, or is it the combination of several characteristics what makes identification possible?
  2. Are Google's fingerprinting methods known? Has anyone conducted an analysis of their scripts?
Mister Smith
  • 423
  • 4
  • 9
  • Could you confirm what you mean my "private" mode? Do you mean it was Chrome in Incognito mode? This could be a Zombie Cookie, but Incognito mode effectively blocks them. http://en.wikipedia.org/wiki/Zombie_cookie – paj28 Jul 10 '14 at 08:07
  • It was not Chrome, but yes, no history and no cookies stored after the browser is closed. – Mister Smith Jul 10 '14 at 08:15
  • A new technique just announced! http://www.theregister.co.uk/2014/07/22/canvas_fingerprinting_is_privacy_pirates_new_web_weapon/ – paj28 Jul 22 '14 at 15:10
  • @paj28 Yup, but AFAIK google is not using that. Nor flash cookies/regular cookies/HTML5 storage. My guess: it is the hell of a fingerprinting method backed up online. – Mister Smith Jul 23 '14 at 12:17
  • Are you currently logged into gmail or youtube with any of your devices (phone, game console, tablet, second computer) on that IP? (is your smartphone on the same network) – CaffeineAddiction Mar 30 '17 at 15:42

1 Answers1

6

This sounds like a Zombie Cookie.

There are a large number of places a web site can store state: cookies, Flash local storage, ETags, etc. When you clear your cookies, you do not necessarily clear all these places. Web sites can store an identifier in some of these other places, and track users despite them clearing their cookies.

If you use a dedicated private browsing mode, such as Chrome Incognito mode, or Firefox Private Browsing, the browser is locked down to prevent this. In particular, browser plugins are disabled, which avoids Flash local storage being an issue.

If you use standard browsing mode, and clear your history and cookies at the end of the session, you do not get the lock downs that private browsing modes provide, and you are vulnerable to Zombie cookies.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 1
    Most likely a zombie cookie stored online. The only other persistence mechanism would be browser cache, but i think I have configured the browser to use RAM cache. I can't confirm whether flash cookies were enabled, but YouTube does not use flash cookies, because tracking would not work for non-flash devices (like iPhones). – Mister Smith Jul 10 '14 at 08:59
  • 1
    And if there isn't local persistence, then they have to had some nice fingerprinting technique. – Mister Smith Jul 10 '14 at 09:00