Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Gummy Browsers Attack Lets Hackers Spoof Tracking Profiles

New Gummy Browsers Attack Lets Hackers Spoof Tracking Profiles

University researchers in the US have developed a new fingerprint capturing and browser spoofing attack called Gummy Browsers. They warn how easy the attack is to carry out and the severe implications it can have.

A digital fingerprint is a unique online identifier associated with a particular user based on a combination of a device’s characteristics. These characteristics could include a user’s IP address, browser and OS version, installed applications, active add-ons, cookies, and even how the user moves their mouse or types on the keyboard.

Websites and advertisers can use these fingerprints to confirm a visitor is a human, track a user between sites, or for targeted advertising. Fingerprints are also used as part of some authentication systems, allowing MFA or other security features to be potentially bypassed if a valid fingerprint is detected.

Digital fingerprints are so valuable that they are sold on dark web marketplaces, allowing threat actors and scammers to spoof users’ online fingerprints to take over accounts more easily or conduct ad fraud.

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

Gummy Browsers

The ‘Gummy Browsers’ attack is the process of capturing a person’s fingerprint by making them visit an attacker-controlled website and then using that fingerprint on a target platform to spoof that person’s identity.

'Gummy Browsers' attack overview
‘Gummy Browsers’ attack overview

After generating a fingerprint of a user using existing or custom scripts, the researchers developed the following method to spoof the user on other sites:

  • Script injection – Spoofing the victim’s fingerprint by executing scripts (with Selenium) that serve values extracted by the JavaScript API calls.
  • Browser setting and debugging tool – Both can be used to change the browser attributes to any custom value, affecting both the JavaScript API and the corresponding value in the HTTP header.
  • Script modification – Changing the browser properties with spoofed values by modifying the scripts embedded in the website before they are sent to the webserver.

By capturing the victim’s fingerprint only once, the researchers said they could trick state-of-the-art fingerprinting systems such as FPStalker and Panopliclick for extensive periods.

“Our results showed that Gummy Browsers can successfully impersonate the victim’s browser transparently almost all the time without affecting the tracking of legitimate users,” the researchers explain in an Arxiv paper published yesterday.

Also Read: 4 Considerations In The PDPA Singapore Checklist: The Specifics

“Since acquiring and spoofing the browser characteristics is oblivious to both the user and the remote web-server, Gummy Browsers can be launched easily while remaining hard to detect”

Their tests returned a true positive rate of 0.9 and raised no alarms to alert the spoofed user that their online ‘identity’ was stolen.

True positive rate (TPR) diagrams.
True positive rate (TPR) diagrams.

Attack can be heavily abused

The researchers state that threat actors can easily use the Gummy Browsers attack to trick systems utilizing fingerprinting.

“The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser-fingerprinting is starting to get widely adopted in the real world,” warned the researchers.

“In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale.”

The attack can spoof a user’s identity to make a script appear as a human rather than a bot and be served targeted ads to perform ad fraud.

The Gummy Browsers attack may also help bypass security features used to detect legitimate users in authentication services. Examples of authentication systems that use fingerprinting include OracleInauth, and SecureAuth IdP.

For example, SecureAuth ADP can be configured not to perform multi-factor authentication if a legitimate fingerprint is found.

“When a User logs into a realm, it is possible to use Device Recognition to prevent them having to MFA every time they access the realm,” explains an SecureAuth IDP support article.

Finally, many banks and retail sites use fingerprinting as part of their fraud detection mechanisms, which can be bypassed by spoofing a legitimate user’s identity.

Update 10/20/21: Added further context regarding how threat actors can use Gummy Browsers to bypass 2FA on auth systems. Also fixed two occurances of us calling it a Gummy Bear attack.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us