Websites Can Detect What Chrome Extensions You've Installed

← Back to Stories (view on slashdot.org)

Websites Can Detect What Chrome Extensions You've Installed

Posted by timothy on Friday March 16, 2012 @07:50PM from the incognito-no-more dept.

dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.

23 of 131 comments (clear)

Min score:

Reason:

Sort:

Well, there it is: by Anonymous Coward · 2012-03-16 19:53 · Score: 4, Funny

Yet another way that IE is better than Chrome.
1. Re:Well, there it is: by WrongSizeGlass · 2012-03-16 23:08 · Score: 4, Funny
  
  I'm sure given time and the history of IE it probably doesn't need an extension to tell if you're pregnant...
  An extension is still going to be required to get someone pregnant.
2. Re:Well, there it is: by Anonymous Coward · 2012-03-17 01:16 · Score: 4, Funny
  
  Some would suggest that if you're using IE you're already screwed
3. Re:Well, there it is: by hairyfeet · 2012-03-17 04:07 · Score: 4, Insightful
  
  Cute but this is a REALLY bad thing as if this gets out websites could use this to detect ABP and block content until you allow them to spam you with ads. Personally and considering how many pieces of malware comes from ads a website has to PROVE they are worthy of showing me ads before I allow them. If you wish to be given an ABP exception you should have to have an appeal on your site where you explain what makes your advertising trustworthy, explain what ads are and are not allowed and if you state a good case i'll be happy to add an exception and i'm sure many others will as well.
  Lets face it guys, we really wouldn't need extensions like ABP if the ad companies hadn't turned into giant douchebags. can't infect a system with a plain text ad, but the companies wanted more "attention grabbing" ads so we have what we have now where you pretty much HAVE to use an adblocker just to surf the web with your sanity intact. Try spending an hour surfing the web with a browser with ZERO adblocking like QTWeb portable and see just how bad its gotten, its just amazing how much shit they throw up on the screen nowadays. We've ended up in a war with the advertisers who want to snatch your sound and wave their dicks in your face and guys like in TFA showing sites how to make sure you get Gostse'd by the advertisers is SO not good.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Only a partial list by ThunderBird89 · 2012-03-16 19:57 · Score: 4, Interesting

The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...

--
Hyperbole: I use it liberally!
1. Re:Only a partial list by Intropy · 2012-03-16 20:03 · Score: 4, Informative
  
  It got one of four for me. And the one it got was adblock which would be very easy to detect.
2. Re:Only a partial list by Anonymous Coward · 2012-03-16 20:11 · Score: 5, Informative
  
  The way this works is by looking for specific plugins (acessing the manifest.json in the of the extension with the plugin-id). He won't just find every plugin installed, but only the ones he is looking for. On his page he also links to some other site and they have a similar thing working for firefox.
3. Re:Only a partial list by cheater512 · 2012-03-16 20:22 · Score: 4, Informative
  
  Its not a 'dump every extension' exploit. It has to check for each one specifically based on a list.
  Your extensions simply aren't on the list.
4. Re:Only a partial list by Giorgio+Maone · 2012-03-16 20:26 · Score: 5, Informative
  Two tiny corrections:
  
  He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions for GUIDs of all the installable extensions, and he can detect your full extensions list.
  There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.
  --
  There's a browser safer than Firefox, it is Firefox, with NoScript
5. Re:Only a partial list by Anonymous Coward · 2012-03-16 20:50 · Score: 5, Insightful
  
  The detector works by injecting SCRIPT elements referring to chrome-extension://[id]/manifest.json. It checks if this works for several popular extension ids. Common sense would dictate that it should be impossible to load chrome-extension: resources from http: contexts but I checked in a recent Chromium build and the browser just loads the resource. Chromium must be programmed by interns.
6. Re:Only a partial list by Dan541 · 2012-03-16 20:53 · Score: 5, Interesting
  
  It lists zero for me because ScriptNo blocks it.
  If I allow scripting it detects LastPass, Ghostery and ScriptNo.
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
7. Re:Only a partial list by Anonymous Coward · 2012-03-16 21:09 · Score: 5, Informative
  
  All the extensions contained in the chrome extension hub as recent as his last crawl of the entire website, sure. But no, he will not be able to detect all the extensions because you don't need to install extensions through the extension hub.
8. Re:Only a partial list by Anonymous Coward · 2012-03-16 21:54 · Score: 5, Informative
  
  He will find all your installed extensions... that use manifest_version 1.
  "Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property."
  "Consider manifest version 1 deprecated as of Chrome 18. Version 2 is not yet required, but we will, at some point in the not-too-distant future, stop supporting packages using deprecated manifest versions. Extensions, applications, and themes that aren't ready to make the jump to the new manifest version in Chrome 18 can either explicitly specify version 1, or leave the key off entirely."
  https://code.google.com/chrome/extensions/trunk/manifest.html#web_accessible_resources
9. Re:Only a partial list by FireFury03 · 2012-03-16 23:01 · Score: 4, Funny
  
  The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...
  That's because you only saw the first part of the exploit.
  The full exploit procedure is this:
  1. Direct someone at a website that lists a few of their installed extensions.
  2. Scan slashdot to find that person moaning about how crap the exploit is and look at the "missed" extensions they list in their comment.
  3. Combine the results of (1) and (2) to acquire a complete list of installed extensions for that person.
  
  --
  http://blog.nexusuk.org
10. Re:Only a partial list by fafaforza · 2012-03-17 02:40 · Score: 4, Funny
  
  Don't you realize? The actual exploit is in getting people to comment and list all the extensions that were missed, getting the list from the source.
11. Re:Only a partial list by number11 · 2012-03-17 04:29 · Score: 3
  
  On my Comodo Dragon (Chromium), detected ABP, Ghostory, and EditThisCookie. Missed 5 others. I'd say as "proof of concept" it works, presumably the site doesn't test for every conceivable extension.
Websites can discriminate against Adblock users by satuon · 2012-03-16 20:14 · Score: 5, Interesting

This can be used in a much more mundane way - a website can check if you have Adblock installed, and it can refuse to display its content to you then unless you uninstall it.
1. Re:Websites can discriminate against Adblock users by wmbetts · 2012-03-16 20:27 · Score: 5, Interesting
  
  Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
2. Re:Websites can discriminate against Adblock users by Anonymous Coward · 2012-03-16 21:31 · Score: 4, Insightful
  
  Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."
  And its your right to make it hard to see whether you're blocking and it's their right to make their ads hard to block. So if you want to see the content without the ads then it's a problem for you if you can't, just as if they don't want you to see the ads without the content then it's a problem for them if you can.
  The fact that someone has a right to do something is pretty much completely unrelated to whether their doing it presents a problem. It's my right to buy the last roll of toilet paper in the shop but if you've run out then that can be a problem for you if I do.
3. Re:Websites can discriminate against Adblock users by FudRucker · 2012-03-17 00:06 · Score: 4, Funny
  
  I block adds by placing "sticky notes" in strategic locations on my monitor, detect that!
  
  --
  Politics is Treachery, Religion is Brainwashing
This is amazing by 93+Escort+Wagon · 2012-03-16 20:42 · Score: 4, Funny

So let me get this straight - I can click on that link right now in Firefox and it's going to tell me what Chrome extensions I have installed? Unbelievable!

--
#DeleteChrome
Re:Isn't this expected behavior? by Squirmy+McPhee · 2012-03-16 21:28 · Score: 3, Interesting

If you don't like the behavior, you have quite a few options: Remove the extension, disable it, go incognito when you don't want your extensions detected, or simply use another browser
Hmm ... it seems I may have been a little too quick. When I visit the site running the extension-detection script in icognito mode, it is still able to detect my extensions. Now I wonder if disabling is even effective.
That said, I don't really think there's anything anybody can learn about me from the extensions I have installed -- at least, not anything that I wouldn't tell a total stranger. Since there are few extensions that don't interact with at least one website, I think that's a good policy to follow even if you're a Firefox user.
Re:No Javascript -- no problem by aix+tom · 2012-03-16 22:28 · Score: 3, Interesting

And don't get me started on that useless enterprise-y software which thinks it needs to be "browser based".
For example: We now run multiple client based software packages for different tasks in our company. They can be configured to interact any way we choose. (for example a document from content management can be opened INSIDE the point of sale software, so that people at the cash register can view documents pertaining to the customer currently in transaction, so that they can for example pull up the letter the customer claimed to have sent last week to your central office.
When about a decade ago "web based" solution started to happen at first we thought "oh, cool, stuff like that will get easier because sooner or later all calls like that can be done via HTTP and URLs. In our own client applications we now use HTTP a lot to request data from other systems in the background. Protocol wise it's a really nice thing.
But putting the *FRONTEND* of an enterprise application into the browser is pretty messed up, since most of the time you need a lot of integration between different system on the user side, and that is pretty much forbidden by the browser security model.
What I think is *really* needed for HTML5 Enterprise "GUIs" to work is a separate HTML/CSS/JavaScript display application for "trusted apps" that can interact freely with everything and a "web browser" for the public Internet. Or some way to tell a browser that THIS signed "application" is allowed to talk to THAT signed "application" even with cross-site scripting.