Websites Can Detect What Chrome Extensions You've Installed 131
dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript,
any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.
Re:Only a partial list (Score:5, Informative)
It got one of four for me. And the one it got was adblock which would be very easy to detect.
Re:Only a partial list (Score:5, Informative)
The way this works is by looking for specific plugins (acessing the manifest.json in the of the extension with the plugin-id). He won't just find every plugin installed, but only the ones he is looking for. On his page he also links to some other site and they have a similar thing working for firefox.
Re:Only a partial list (Score:5, Informative)
Its not a 'dump every extension' exploit. It has to check for each one specifically based on a list.
Your extensions simply aren't on the list.
Re:Only a partial list (Score:5, Informative)
Re:Only a partial list (Score:5, Informative)
All the extensions contained in the chrome extension hub as recent as his last crawl of the entire website, sure. But no, he will not be able to detect all the extensions because you don't need to install extensions through the extension hub.
Re:Only a partial list (Score:5, Informative)
He will find all your installed extensions... that use manifest_version 1.
"Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property."
"Consider manifest version 1 deprecated as of Chrome 18. Version 2 is not yet required, but we will, at some point in the not-too-distant future, stop supporting packages using deprecated manifest versions. Extensions, applications, and themes that aren't ready to make the jump to the new manifest version in Chrome 18 can either explicitly specify version 1, or leave the key off entirely."
https://code.google.com/chrome/extensions/trunk/manifest.html#web_accessible_resources