Slashdot Mirror

← Back to Stories (view on slashdot.org)

Websites Can Detect What Chrome Extensions You've Installed

Posted by timothy on from the incognito-no-more dept.

dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.

8 of 131 comments (clear)

  1. Well, there it is: by Anonymous Coward · · Score: 4, Funny

    Yet another way that IE is better than Chrome.

    1. Re:Well, there it is: by WrongSizeGlass · · Score: 4, Funny

      I'm sure given time and the history of IE it probably doesn't need an extension to tell if you're pregnant...

      An extension is still going to be required to get someone pregnant.

    2. Re:Well, there it is: by Anonymous Coward · · Score: 4, Funny

      Some would suggest that if you're using IE you're already screwed

    3. Re:Well, there it is: by Anonymous Coward · · Score: 2, Funny

      Some would suggest that if you're using IE you're already screwed

      Ahh.. but that type of screwing can't get you pregnant.

  2. This is amazing by 93+Escort+Wagon · · Score: 4, Funny

    So let me get this straight - I can click on that link right now in Firefox and it's going to tell me what Chrome extensions I have installed? Unbelievable!

    --
    #DeleteChrome
  3. Re:Only a partial list by FireFury03 · · Score: 4, Funny

    The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...

    That's because you only saw the first part of the exploit.

    The full exploit procedure is this:
    1. Direct someone at a website that lists a few of their installed extensions.
    2. Scan slashdot to find that person moaning about how crap the exploit is and look at the "missed" extensions they list in their comment.
    3. Combine the results of (1) and (2) to acquire a complete list of installed extensions for that person.

    --
    http://blog.nexusuk.org
  4. Re:Websites can discriminate against Adblock users by FudRucker · · Score: 4, Funny

    I block adds by placing "sticky notes" in strategic locations on my monitor, detect that!

    --
    Politics is Treachery, Religion is Brainwashing
  5. Re:Only a partial list by fafaforza · · Score: 4, Funny

    Don't you realize? The actual exploit is in getting people to comment and list all the extensions that were missed, getting the list from the source.