Internet users have plenty of options to make their connections more private. Popular choices include content blocking, using VPNs, or disabling services or features that may reveal information about them.
However, in rare circumstances, it is the very tools designed to protect users that may reveal information about them.
Enter Adbleed
Adbleed is a proof-of-concept designed to highlight a specific privacy risk associated with the use of regional adblocking rules.
The tool functions by detecting which country-specific filter lists—such as EasyList Germany or Liste FR—are currently active within a user’s browser. By probing for the blocking of domains unique to these specific lists, Adbleed creates a “filter fingerprint” that can reveal a user’s likely country of origin or language preference.
This technique demonstrates that users can be partially de-anonymized based solely on their adblocking configuration, even when employing VPNs or proxies to mask their physical location.
The detection process follows three simple steps:
- Domains: The tool uses a curated list of domains that are blocked exclusively by certain filter lists, such as EasyList Germany.
- Probing: Adbleed attempts to load resources from these specific domains. It then looks at what is returned. Blocked requests, which happen near instantly, are what the tool is after. It measures the time it takes to get a response to distinguish blocked requests from other errors, e.g., network failures.
- Fingerprinting: When a specific number of domains are blocked from a regional listing, Adbleed concludes that the list is active.
What does it mean? It means that a site can detect if certain regional content blocking lists are likely enabled. This adds another factor to fingerprinting attempts.
Mitigation & Protection
Here are a few suggestions to mitigate Adbleed or limit its use for fingerprinting:
- Stick to the defaults. If you do not enable any regional lists, Adbleed won’t detect any, which in turn makes your configuration less unique.
- Enable anti-fingerprinting: If the browser supports anti-fingerprinting techniques, make sure they are enabled.
- Disable JavaScript or enable hard-mode blocking: This may not be practicable, especially the JavaScript part, but this should protect against this particular type of attack.
- Use different browsers: If you use different browsers, you torpedo tracking attempts, as the trackers can’t link your activities between different apps or browsers (unless there is a common factor that is unique).
Adbleed demonstrates that the tools designed to protect users on the Internet can sometimes be used against them. It reveals how regional content blocking preferences may allow sites to fingerprint and track users. It is not an argument against content blocking, but rather a wake-up call that things are never as straightforward as they look like on first glance.