Websites Can Detect What Chrome Extensions You've Installed 131
dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript,
any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.
Re:Only a partial list (Score:5, Insightful)
The detector works by injecting SCRIPT elements referring to chrome-extension://[id]/manifest.json. It checks if this works for several popular extension ids. Common sense would dictate that it should be impossible to load chrome-extension: resources from http: contexts but I checked in a recent Chromium build and the browser just loads the resource. Chromium must be programmed by interns.
Re:Only a partial list (Score:3, Insightful)
AC before you explained how there is actually a dump-all function. The proof-of-concept just doesn't check for all existing plug-ins. Besides, the detection of even a few plug-ins other than via their external behaviour (e.g. not loading ads like ABP does) is bad enough.
Re:Websites can discriminate against Adblock users (Score:4, Insightful)
Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."
And its your right to make it hard to see whether you're blocking and it's their right to make their ads hard to block. So if you want to see the content without the ads then it's a problem for you if you can't, just as if they don't want you to see the ads without the content then it's a problem for them if you can.
The fact that someone has a right to do something is pretty much completely unrelated to whether their doing it presents a problem. It's my right to buy the last roll of toilet paper in the shop but if you've run out then that can be a problem for you if I do.
Re:This is amazing (Score:2, Insightful)
I tried Chrome the other day for the first time, and I was not impressed. All those things that I'd come to expect from using Firefox in Linux - flash not (immediately) working, websites gratuitously opening new windows in the background, and not a single way to make sure you have a menu or even a 'quit' button - I felt quite unsafe and not-in-control. Every now and then I come into contact with a computing experience the way the rest of the world expects it, and I find it most unpleasant.
Chrome Google vs. Privacy (Score:3, Insightful)
People who use typically choose Chrome (the Google Browser) don't strike me as people who are all THAT concerned about their privacy. It might be a nice browser, but it is closed-source, and heavy into the "Google way" (which to me means to share all your information with Google).
At least with Chromium, people can see what is going on inside...
Comment removed (Score:5, Insightful)