-
A researcher developed a new fingerprinting technique called AdBleed that reveals user locations despite VPN protection.
-
The method exploits country-specific adblock filter lists to identify a user’s likely country or language preferences.
-
The technique dodges VPNs, proxies, as well as Tor Browser by striking at browser configurations instead of network traffic.
VPN services promise anonymity. They mask your IP address and encrypt your traffic. A new browser fingerprinting technique just exposed a critical weakness. Your AdBlocker might be giving away your location.
Independent researcher Melvin Lammerts developed this clever exploit. He calls it AdBleed. The technique reveals where users are located by analyzing which regional adblock filters they have enabled. VPNs and Tor cannot stop it.
Adblockers reveal your location
Lammerts publicly demonstrated the proof-of-concept at adbleed.eu. The technique exposes a privacy leak that security experts previously overlooked. Country-specific AdBlock filter lists create a unique fingerprint. This fingerprint functions even when users redirect their entire traffic via privacy programs.
Popular adblockers like AdBlock Plus, uBlock Origin, AdGuard, as well as Brave’s Shields all follow community-set rules. These comprise EasyList, which focuses on ad and tracker domains across the globe. Many users also enable country-specific lists. Examples include EasyList Germany, Liste FR, or EasyList Italy. These lists block localized ad networks that global filters miss.
AdBleed checks which regional domains your browser blocks. JavaScript runs in the browser and attempts to load resources from domains on country-specific filter lists. The technique infers which regional list you have active based on which domains get blocked. VPNs only conceal IPs. They do not hide browser-side setups like filters on your AdBlock. This detection tactic remains ideal no matter how you route your traffic.
The detection relies on timing analysis. JavaScript attempts to load a small resource, typically a favicon, from domains on country-specific lists. Blocked resources trigger an onerror event almost instantly. The browser usually responds within 5 milliseconds because it intercepts the request before it reaches the network.
Unblocked domains force the browser to attempt a DNS lookup or TCP connection. This creates a noticeably longer delay. Lammerts tests 30 domains per region and uses a conservative threshold. If 20/30 domains get locked out, the technique seamlessly figures out which country filter list is running.
Practical operation of the technique
Lammerts carefully curated the domain sets to ensure accuracy. He programmatically subtracted entries from general lists like EasyList to avoid overlap. The researcher used positive and negative control domains to validate the presence of an ad blocker. This eliminates edge-case errors from the scan.
The proof-of-concept currently tests lists for Germany, France, Italy, the Netherlands, Spain, Brazil, and Russia. The live demonstration provides a confidence score and a full scan breakdown.
Lammerts first tested the technique on Brave Browser with its built-in Shields enabled, then expanded experiments to other blockers like uBlock Origin and AdBlock Plus. Different base rule sets may affect the accuracy of detection.
Unlike traditional fingerprinting methods, AdBleed operates entirely in the browser. The technique requires no server-side cooperation. It doesn’t wait for storage APIs or cookies. The method dodges basic anonymity systems like proxies, VPNs, as well as Tor. It exploits AdBlock configuration as a behavioral signal that reveals user identity.
The technique affects virtually all users who employ regional AdBlock filters. Browser locale often enables these filters automatically. Some adblockers also prompt users to add country-specific lists during installation. The targeted services include regional ad networks specific to each country. Global filter lists typically do not include these networks.
Limited options for protection
Users paying attention to anonymity face challenging choices for mitigation. Skipping region-based filter lists completely increases risk to localized trackers and ads. One potential workaround involves enabling several unrelated country lists to dilute the signal. This approach may result in overblocking. Users might experience reduced site functionality.
More extreme options include not using an adblocker at all. This ironically reduces privacy in other ways by exposing users to tracking scripts and malicious ads. Adblocker developers could address this vulnerability by adopting context-aware filtering. Country-specific rules would only trigger for matching local content or domains.
This discovery adds a new dimension to the browser fingerprinting landscape. Existing vectors already include screen resolution, installed fonts, and timezone settings. AdBleed proves that even tools set for enhancing privacy can inadvertently erect unique identifiers. The research throws light on the ongoing cat-and-mouse game between tracking techniques and privacy tools.
