Web tracking is expanding to cookie-less techniques, like browser fingerprinting, to evade popular privacy-enhancing web extensions, namely ad blockers. To mitigate tracking, privacy-aware users are motivated to optimize their privacy setups by adopting proposed anti-fingerprinting configurations and customizing ad blocker settings to maximize the number of blocked trackers. However, users’ choices can counter-intuitively undermine their privacy. In this work, we quantify the risk incurred by modifying ad-blocker filter-list selections. We evaluate the fingerprintability of ad-blocker customization and its implications on privacy. We present three scriptless attacks that evade SoTA fingerprinting detectors and mitigations. Our attacks identify 84% of filter lists, capture stable fingerprints with 0.72 normalized entropy, and reduce the relative anonymity set of users to a median of 48 users (0.2% of the population) using only 45 rules out of 577K. Finally, we provide recommendations and precautionary measures to all parties involved.
Usenix Security Symposium (USENIX-Security)
2025-08-13
2025-05-14