Websites Can Detect What Chrome Extensions You've Installed

dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.

Re:Only a partial list

[Intropy]

It got one of four for me. And the one it got was adblock which would be very easy to detect.

Re:Only a partial list

[Anonymous Coward]

The way this works is by looking for specific plugins (acessing the manifest.json in the of the extension with the plugin-id). He won't just find every plugin installed, but only the ones he is looking for. On his page he also links to some other site and they have a similar thing working for firefox.

Re:Only a partial list

[cheater512]

Its not a 'dump every extension' exploit. It has to check for each one specifically based on a list.
Your extensions simply aren't on the list.

Re:Only a partial list

[Giorgio Maone]

Two tiny corrections:

1. He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions [google.com] for GUIDs of all the installable extensions, and he can detect your full extensions list.
2. There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.

Re:Only a partial list

[Anonymous Coward]

All the extensions contained in the chrome extension hub as recent as his last crawl of the entire website, sure. But no, he will not be able to detect all the extensions because you don't need to install extensions through the extension hub.

Re:Only a partial list

[Anonymous Coward]

He will find all your installed extensions... that use manifest_version 1.

"Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property."

"Consider manifest version 1 deprecated as of Chrome 18. Version 2 is not yet required, but we will, at some point in the not-too-distant future, stop supporting packages using deprecated manifest versions. Extensions, applications, and themes that aren't ready to make the jump to the new manifest version in Chrome 18 can either explicitly specify version 1, or leave the key off entirely."

https://code.google.com/chrome/extensions/trunk/manifest.html#web_accessible_resources