On Monday, Ars reported that Dell was shipping PCs that came pre-installed with digital certificates that made it easy for attackers to cryptographically impersonate any website on the Internet. Now, a researcher has shown that many Dell computers can be surreptitiously forced to reveal the number company employees use to identify customers.
The unique Dell service tag can be used to fingerprint users even when they turn on the private browsing mode of their favorite browser, delete all browser cookies, or take other steps to block being tracked. The ID can also be entered into this Dell webpage to obtain warranty information. Fraudulent computer support services, which claim to be from Microsoft or another well-known company in an attempt to gain control of a target's machine, could also use the identifier to make their ruse more convincing.
Websites can surreptitiously acquire the ID of just about any Dell machine that's running Dell Foundation Services, an official Dell application designed to make it easier for customers to get technical support. As this proof-of-concept site demonstrates, the exploit works relatively quickly and reliably. While it's transparent about what it's doing, there's nothing stopping other sites from running the ID-scraping code in the background so users have no idea they're being tracked.