[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Fingerprint Spoofer

Version 1.1 View in Chrome Web Store

Last scanned: about 3 hours ago

Extension Details

Rating: 4.5 ★ (10 ratings)

Users: 20,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a decent user base of 20,000 users and a solid 4.5-star rating, though based on only 10 reviews which is quite limited for the user count. The lack of clear developer information and missing last updated date raises transparency concerns. The extension's purpose - fingerprint spoofing - is inherently privacy-focused but operates in a gray area that could attract both legitimate privacy users and malicious actors.

Concerns:

The combination of broad host permissions with scripting capabilities creates significant risk potential. The extension can access and modify content on all websites you visit, which goes far beyond what's typically needed for fingerprint spoofing. The declarativeNetRequestWithHostAccess permission allows network request modification across all sites. While fingerprint spoofing may require some level of site access, the <all_urls> permission is overly broad and could enable data harvesting, credential theft, or tracking - ironically the opposite of the extension's stated privacy purpose.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to privacy-sensitive browsing. Regularly audit what data the extension stores locally. Monitor your browsing behavior for any unusual network activity. Consider alternative fingerprint protection methods built into privacy-focused browsers like Firefox with strict settings, or well-established extensions from verified developers with more transparent development practices and narrower permission scopes.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage
scripting
contentSettings
declarativeNetRequestWithHostAccess

Host Permissions:

<all_urls>

Embedded URLs (70 total):

https://en.wikipedia.org/wiki/Device_fingerprint	https://amiunique.org/
https://coveryourtracks.eff.org/	https://browserleaks.com/canvas
https://github.com/noble-8	https://github.com/Kalvinci
https://getbootstrap.com/	https://github.com/twbs/bootstrap/blob/main/LICENSE
https://github.com/sass/sass/issues/2383#issuecomment-336349172	https://github.com/necolas/normalize.css
https://github.com/twbs/bootstrap/issues/19402	https://github.com/twbs/bootstrap/issues/24093
https://github.com/twbs/bootstrap/pull/30562	https://github.com/twbs/bootstrap/issues/24990
https://stackoverflow.com/a/54997118	https://github.com/twbs/bootstrap/issues/12359
https://html.spec.whatwg.org/multipage/#the-fieldset-and-legend-elements	https://github.com/twbs/bootstrap/issues/29712
https://github.com/twbs/bootstrap/issues/18842	https://github.com/twbs/bootstrap/issues/11586.
https://rtlstyling.com/posts/rtl-styling#form-inputs	https://rtlcss.com/learn/usage-guide/control-directives/#raw
http://www.w3.org/2000/svg	https://github.com/twbs/rfs/blob/main/LICENSE
https://github.com/twbs/rfs/issues/14	https://github.com/twbs/bootstrap/issues/18178
https://www.w3.org/TR/mediaqueries-4/#mq-min-max	https://bugs.webkit.org/show_bug.cgi?id=178261
https://github.com/react-bootstrap/react-bootstrap/issues/6039	https://github.com/philipwalton/flexbugs#flexbug-4
https://github.com/twbs/bootstrap/issues/23307	https://bugs.webkit.org/show_bug.cgi?id=198959
https://github.com/twbs/bootstrap/pull/11526.	https://github.com/twbs/bootstrap/issues/11655.
https://github.com/twbs/bootstrap/pull/29124	https://primer.github.io/.
https://github.com/twbs/bootstrap/issues/32636	https://github.com/twbs/bootstrap/issues/28247
https://stackoverflow.com/questions/36247140/why-dont-flex-items-shrink-past-content-size	https://github.com/sass/sass/issues/1873#issuecomment-152293725
https://github.com/twbs/bootstrap/pull/27703	https://github.com/twbs/bootstrap/pull/22740#issuecomment-305868106
https://developer.mozilla.org/en-US/docs/Web/Events/click#Safari_Mobile	https://github.com/twbs/bootstrap/pull/10951.
https://bugs.webkit.org/show_bug.cgi?id=158342	https://github.com/twbs/bootstrap/issues/17695
https://github.com/twbs/bootstrap/issues/24800	https://www.a11yproject.com/posts/2013-01-11-how-to-hide-content/
https://kittygiraudel.com/2016/10/13/css-hide-and-seek/	https://github.com/twbs/bootstrap/issues/25686
https://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1	https://goo.gl/pxwQGp
https://github.com/twbs/bootstrap/issues/32273	https://www.charistheo.io/blog/2021/02/restart-a-css-animation-with-javascript/#restarting-a-css-animation
https://github.com/popperjs/popper-core/issues/1223	https://github.com/popperjs/popper-core/issues/837
https://developer.mozilla.org/en-US/docs/Web/CSS/Containing_block#identifying_the_containing_block	https://github.com/facebook/flow/issues/1414
https://github.com/popperjs/popper-core/issues/1078	https://stackoverflow.com/questions/49875255
https://www.quirksmode.org/blog/archives/2014/02/mouse_event_bub.html	https://popper.js.org
https://developer.mozilla.org/en-US/docs/Web/API/Window/innerWidth#usage_notes	https://github.com/angular/angular/blob/12.2.x/packages/core/src/sanitization/url_sanitizer.ts
https://github.com/twbs/bootstrap/graphs/contributors	https://clients2.google.com/service/update2/crx
https://fonts.googleapis.com	https://fonts.gstatic.com
https://fonts.googleapis.com/css2?family=Open+Sans:ital	https://randua.somespecial.one/

Raw Manifest

{
  "name": "Fingerprint Spoofer",
  "action": {
    "default_icon": {
      "16": "./images/fingerprint-16.png",
      "32": "./images/fingerprint-32.png",
      "48": "./images/fingerprint-48.png",
      "128": "./images/fingerprint-128.png"
    },
    "default_popup": "popup.html"
  },
  "version": "1.1",
  "background": {
    "service_worker": "js/background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Helps to spoof browser fingerprinting",
  "permissions": [
    "storage",
    "scripting",
    "contentSettings",
    "declarativeNetRequestWithHostAccess"
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "js/navigatorSpoofScript.js",
        "js/canvasSpoofScript.js"
      ],
      "use_dynamic_url": true
    }
  ]
}

by ✦ Astarte