Forgot your password?
typodupeerror
Chrome Privacy Security

Websites Can Detect What Chrome Extensions You've Installed 131

Posted by timothy
from the incognito-no-more dept.
dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.
This discussion has been archived. No new comments can be posted.

Websites Can Detect What Chrome Extensions You've Installed

Comments Filter:
  • by Anonymous Coward on Saturday March 17, 2012 @04:50AM (#39387637)

    The detector works by injecting SCRIPT elements referring to chrome-extension://[id]/manifest.json. It checks if this works for several popular extension ids. Common sense would dictate that it should be impossible to load chrome-extension: resources from http: contexts but I checked in a recent Chromium build and the browser just loads the resource. Chromium must be programmed by interns.

  • by wvmarle (1070040) on Saturday March 17, 2012 @05:21AM (#39387741)

    AC before you explained how there is actually a dump-all function. The proof-of-concept just doesn't check for all existing plug-ins. Besides, the detection of even a few plug-ins other than via their external behaviour (e.g. not loading ads like ABP does) is bad enough.

  • by Anonymous Coward on Saturday March 17, 2012 @05:31AM (#39387773)

    Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."

    And its your right to make it hard to see whether you're blocking and it's their right to make their ads hard to block. So if you want to see the content without the ads then it's a problem for you if you can't, just as if they don't want you to see the ads without the content then it's a problem for them if you can.

    The fact that someone has a right to do something is pretty much completely unrelated to whether their doing it presents a problem. It's my right to buy the last roll of toilet paper in the shop but if you've run out then that can be a problem for you if I do.

  • Re:This is amazing (Score:2, Insightful)

    by bytesex (112972) on Saturday March 17, 2012 @09:01AM (#39388389) Homepage

    I tried Chrome the other day for the first time, and I was not impressed. All those things that I'd come to expect from using Firefox in Linux - flash not (immediately) working, websites gratuitously opening new windows in the background, and not a single way to make sure you have a menu or even a 'quit' button - I felt quite unsafe and not-in-control. Every now and then I come into contact with a computing experience the way the rest of the world expects it, and I find it most unpleasant.

  • by markdavis (642305) on Saturday March 17, 2012 @09:11AM (#39388451)

    People who use typically choose Chrome (the Google Browser) don't strike me as people who are all THAT concerned about their privacy. It might be a nice browser, but it is closed-source, and heavy into the "Google way" (which to me means to share all your information with Google).

    At least with Chromium, people can see what is going on inside...

  • by hairyfeet (841228) <bassbeast1968@gm[ ].com ['ail' in gap]> on Saturday March 17, 2012 @12:07PM (#39389611) Journal

    Cute but this is a REALLY bad thing as if this gets out websites could use this to detect ABP and block content until you allow them to spam you with ads. Personally and considering how many pieces of malware comes from ads a website has to PROVE they are worthy of showing me ads before I allow them. If you wish to be given an ABP exception you should have to have an appeal on your site where you explain what makes your advertising trustworthy, explain what ads are and are not allowed and if you state a good case i'll be happy to add an exception and i'm sure many others will as well.

    Lets face it guys, we really wouldn't need extensions like ABP if the ad companies hadn't turned into giant douchebags. can't infect a system with a plain text ad, but the companies wanted more "attention grabbing" ads so we have what we have now where you pretty much HAVE to use an adblocker just to surf the web with your sanity intact. Try spending an hour surfing the web with a browser with ZERO adblocking like QTWeb portable and see just how bad its gotten, its just amazing how much shit they throw up on the screen nowadays. We've ended up in a war with the advertisers who want to snatch your sound and wave their dicks in your face and guys like in TFA showing sites how to make sure you get Gostse'd by the advertisers is SO not good.

Q: How many IBM CPU's does it take to execute a job? A: Four; three to hold it down, and one to rip its head off.

Working...