Forgot your password?
typodupeerror
Chrome Privacy Security

Websites Can Detect What Chrome Extensions You've Installed 131

Posted by timothy
from the incognito-no-more dept.
dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.
This discussion has been archived. No new comments can be posted.

Websites Can Detect What Chrome Extensions You've Installed

Comments Filter:
  • by Intropy (2009018) on Saturday March 17, 2012 @04:03AM (#39387491)

    It got one of four for me. And the one it got was adblock which would be very easy to detect.

  • by Anonymous Coward on Saturday March 17, 2012 @04:11AM (#39387517)

    The way this works is by looking for specific plugins (acessing the manifest.json in the of the extension with the plugin-id). He won't just find every plugin installed, but only the ones he is looking for. On his page he also links to some other site and they have a similar thing working for firefox.

  • by cheater512 (783349) <nick@nickstallman.net> on Saturday March 17, 2012 @04:22AM (#39387563) Homepage

    Its not a 'dump every extension' exploit. It has to check for each one specifically based on a list.
    Your extensions simply aren't on the list.

  • by Giorgio Maone (913745) on Saturday March 17, 2012 @04:26AM (#39387581) Homepage
    Two tiny corrections:
    1. He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions [google.com] for GUIDs of all the installable extensions, and he can detect your full extensions list.
    2. There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.
  • by Anonymous Coward on Saturday March 17, 2012 @05:09AM (#39387709)

    All the extensions contained in the chrome extension hub as recent as his last crawl of the entire website, sure. But no, he will not be able to detect all the extensions because you don't need to install extensions through the extension hub.

  • by Anonymous Coward on Saturday March 17, 2012 @05:54AM (#39387837)

    He will find all your installed extensions... that use manifest_version 1.

    "Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property."

    "Consider manifest version 1 deprecated as of Chrome 18. Version 2 is not yet required, but we will, at some point in the not-too-distant future, stop supporting packages using deprecated manifest versions. Extensions, applications, and themes that aren't ready to make the jump to the new manifest version in Chrome 18 can either explicitly specify version 1, or leave the key off entirely."

    https://code.google.com/chrome/extensions/trunk/manifest.html#web_accessible_resources

Brain off-line, please wait.

Working...