Anonymity Adbleed: Deanon of VPN Users.

[Fixxx]

Researcher Melvin Lammerts has introduced a proof-of-concept tool named Adbleed, which reveals an unexpected method of partially de-anonymizing VPN users. The concept is that while a VPN effectively hides the user's real IP address and changes the geolocation to that of the selected server, it doesn't alter the ad-blocking rules employed by the browser. These rules often depend on the country and language.

---

How Adbleed Works​

Most ad blockers rely on filter lists: extensive text-based rule sets that prevent the loading of domains, webpage elements and trackers. Base lists like EasyList focus on English-language ads and major international networks, but users in many countries (or the ad blocker itself) often add local filters. For instance, EasyList Germany may be active in Germany, while Liste FR is common in France. These additional lists contain many domains not found in the base set and this difference creates a fingerprint that can indicate a user's country or language, even if all traffic is routed through a VPN exit node in a different country.



Adbleed identifies active local lists entirely on the client side using JavaScript in the browser. The trick is based on refusal time: the script attempts to load a small site icon from a domain blocked only by a specific filter list for a particular country. If the ad blocker intercepts the request, an error occurs almost instantly, typically faster than 5 ms. Conversely, if there’s no block, the request goes out to the network, and even a simple DNS lookup for a non-existent domain adds tens or hundreds of milliseconds. This difference in delay serves as a signal. For each country, the author tests 30 domains and concludes that a local list is active if at least 20 out of 30 domains are blocked. This threshold is intentionally high to minimize false positives: different browsers and extensions come with various sets of base filters, so some domains might be blocked due to chance overlaps. In typical scenarios featuring an active local filter, the result usually approaches 25-30 out of 30. An additional challenge is gathering domain signatures that are truly unique to local lists and don't appear in the base EasyList. The author describes an approach involving rule comparison: extracting domain rules from the base list, then from each local one, subtracting intersections and prioritizing domains with national TLDs. Positive domains from the base EasyList are used to check if the ad blocker is operational, while negative domains that should not be blocked help eliminate odd configurations.

---

Implications for Anonymity​

The key takeaway is an uncomfortable one for those relying on anonymity: this fingerprint can function through VPNs, Tor Browser and any proxies, and doesn't require cookies, permissions or server involvement. While it doesn't directly reveal identity, when combined with other signals like timezone, keyboard layout, fonts and screen resolution, it can significantly narrow down a user's identity. Practically, mitigating this issue is challenging. Users can refrain from using local filters, but this increases the ads and tracking they encounter in their language. Alternatively, enabling several random local lists may break sites and increase noise. The option to disable the ad blocker altogether typically worsens privacy. The author suggests that ad blocker developers consider more careful application of local rules, activating certain rules only on relevant site domains rather than globally. Adbleed is available for demonstration and the author explicitly warns that the configuration of the ad blocker becomes part of the user's digital fingerprint, which is not concealed by VPNs.