Websites Can Detect What Chrome Extensions You've Installed

dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.

Re:Only a partial list

The way this works is by looking for specific plugins (acessing the manifest.json in the of the extension with the plugin-id). He won't just find every plugin installed, but only the ones he is looking for. On his page he also links to some other site and they have a similar thing working for firefox.

Websites can discriminate against Adblock users

[satuon]

This can be used in a much more mundane way - a website can check if you have Adblock installed, and it can refuse to display its content to you then unless you uninstall it.

Re:Websites can discriminate against Adblock users

[wmbetts]

Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."

Re:Only a partial list

[Giorgio+Maone]

Two tiny corrections:

1. He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions for GUIDs of all the installable extensions, and he can detect your full extensions list.
2. There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.

Re:Only a partial list

The detector works by injecting SCRIPT elements referring to chrome-extension://[id]/manifest.json. It checks if this works for several popular extension ids. Common sense would dictate that it should be impossible to load chrome-extension: resources from http: contexts but I checked in a recent Chromium build and the browser just loads the resource. Chromium must be programmed by interns.

Re:Only a partial list

[Dan541]

It lists zero for me because ScriptNo blocks it.

If I allow scripting it detects LastPass, Ghostery and ScriptNo.

Re:Only a partial list

All the extensions contained in the chrome extension hub as recent as his last crawl of the entire website, sure. But no, he will not be able to detect all the extensions because you don't need to install extensions through the extension hub.

Re:Only a partial list

He will find all your installed extensions... that use manifest_version 1.

"Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property."

"Consider manifest version 1 deprecated as of Chrome 18. Version 2 is not yet required, but we will, at some point in the not-too-distant future, stop supporting packages using deprecated manifest versions. Extensions, applications, and themes that aren't ready to make the jump to the new manifest version in Chrome 18 can either explicitly specify version 1, or leave the key off entirely."

https://code.google.com/chrome/extensions/trunk/manifest.html#web_accessible_resources