Websites Can Detect What Chrome Extensions You've Installed 131
dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript,
any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.
Only a partial list (Score:5, Interesting)
The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...
Websites can discriminate against Adblock users (Score:5, Interesting)
This can be used in a much more mundane way - a website can check if you have Adblock installed, and it can refuse to display its content to you then unless you uninstall it.
Re:Websites can discriminate against Adblock users (Score:5, Interesting)
Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."
Re:Only a partial list (Score:5, Interesting)
It lists zero for me because ScriptNo blocks it.
If I allow scripting it detects LastPass, Ghostery and ScriptNo.
Re:Isn't this expected behavior? (Score:4, Interesting)
Hmm ... it seems I may have been a little too quick. When I visit the site running the extension-detection script in icognito mode, it is still able to detect my extensions. Now I wonder if disabling is even effective.
That said, I don't really think there's anything anybody can learn about me from the extensions I have installed -- at least, not anything that I wouldn't tell a total stranger. Since there are few extensions that don't interact with at least one website, I think that's a good policy to follow even if you're a Firefox user.
Re:No Javascript -- no problem (Score:3, Interesting)
And don't get me started on that useless enterprise-y software which thinks it needs to be "browser based".
For example: We now run multiple client based software packages for different tasks in our company. They can be configured to interact any way we choose. (for example a document from content management can be opened INSIDE the point of sale software, so that people at the cash register can view documents pertaining to the customer currently in transaction, so that they can for example pull up the letter the customer claimed to have sent last week to your central office.
When about a decade ago "web based" solution started to happen at first we thought "oh, cool, stuff like that will get easier because sooner or later all calls like that can be done via HTTP and URLs. In our own client applications we now use HTTP a lot to request data from other systems in the background. Protocol wise it's a really nice thing.
But putting the *FRONTEND* of an enterprise application into the browser is pretty messed up, since most of the time you need a lot of integration between different system on the user side, and that is pretty much forbidden by the browser security model.
What I think is *really* needed for HTML5 Enterprise "GUIs" to work is a separate HTML/CSS/JavaScript display application for "trusted apps" that can interact freely with everything and a "web browser" for the public Internet. Or some way to tell a browser that THIS signed "application" is allowed to talk to THAT signed "application" even with cross-site scripting.