Threat Watch

New Gummy Browsers Attack Lets Hackers Spoof Tracking Profiles

University researchers in the US have developed a new fingerprint capturing and browser spoofing attack called Gummy Browsers. They warn how easy the attack is to carry out and the severe implications it can have. A digital fingerprint is a unique online identifier associated with a particular user based on a combination of a device’s characteristics. These characteristics could include a user’s IP address, browser and OS version, installed applications, active add-ons, cookies, and even how the user moves their mouse or types on the keyboard. Websites and advertisers can use these fingerprints to confirm a visitor is a human, track a user between sites, or for targeted advertising. Fingerprints are also used as part of some authentication systems, allowing multi-factor authentication (MFA) or other security features to be potentially bypassed if a valid fingerprint is detected. Digital fingerprints are so valuable that they are sold on dark web marketplaces, allowing threat actors and scammers to spoof users’ online fingerprints to take over accounts more easily or conduct ad fraud.

The ‘Gummy Browsers’ attack is the process of capturing a person’s fingerprint by making them visit an attacker-controlled website and then using that fingerprint on a target platform to spoof that person’s identity. By capturing the victim’s fingerprint only once, the researchers said they could trick state-of-the-art fingerprinting systems such as FPStalker and Panopliclick for extensive periods. “Our results showed that Gummy Browsers can successfully impersonate the victim’s browser transparently almost all the time without affecting the tracking of legitimate users,” the researchers explain in an Arxiv paper published yesterday. “Since acquiring and spoofing the browser characteristics is oblivious to both the user and the remote web-server, Gummy Browsers can be launched easily while remaining hard to detect.” Their tests returned a true positive rate of 0.9 and raised no alarms to alert the spoofed user that their online ‘identity’ was stolen.


Organizations that utilize digital fingerprint access should force multi-factor authentication (MFA) on all systems. It is also recommended to educate users to be aware of emails asking for login information or warning of a logon issue. Instead of clicking on the link within the email, users should go directly to authentic websites by either typing the address into the URL bar or by searching the legitimate site online.