This post is also available in:
עברית (Hebrew)
A recent study by researchers at the CISPA Helmholtz Center for Information Security has uncovered a new method of tracking online users, leveraging Cascading Style Sheets (CSS) to gather detailed fingerprints even beyond typical web browsing. Traditionally, browser fingerprinting has relied on JavaScript to collect information such as processor type, IP address, and browser settings. Now, CSS, a tool primarily used to style websites, has been found to leak significant user data that could be used for privacy invasions.
The research, led by CISPA’s Leon Trampert, reveals that modern CSS features can be exploited to identify users, similar to the way JavaScript-based tracking works. While most users are aware of tracking via JavaScript and often protect themselves with plugins or privacy-focused browsers like Tor, the CSS method is largely under the radar. Trampert’s study shows that by analyzing how websites are styled, attackers can infer sensitive details about a user’s device and browsing environment, such as the fonts installed on the system, the operating system in use, and even the system language.
According to TechXplore, the study’s breakthrough came when Trampert and his team tested over 1,100 different browser and operating system combinations. They found that CSS fingerprinting could identify the users’ systems with an impressive 97.95% accuracy. This technique exploits CSS functions like measuring the width and height of text, which can reveal font information that indirectly exposes underlying system details. According to Trampert, even small variations in how text is rendered can give away crucial clues about a user’s environment.
Perhaps even more alarming, the team tested how this method could be applied in email clients. Unlike Javascript, many email clients do not block CSS, leaving users vulnerable to this new form of tracking. In their testing of 21 different email clients, including mobile and desktop versions, the researchers found that 18 of them were susceptible to at least one of the fingerprinting techniques. This raises the potential for serious privacy breaches, such as linking web activity with email accounts or identifying specific users based on their email addresses.
This discovery opens up new challenges in protecting user privacy. As tracking technologies evolve, so too must our defenses. Trampert emphasized the importance of understanding these emerging threats so that stronger countermeasures can be developed.
