Forgot your password?
typodupeerror
Chrome Privacy Security

Websites Can Detect What Chrome Extensions You've Installed 131

Posted by timothy
from the incognito-no-more dept.
dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.
This discussion has been archived. No new comments can be posted.

Websites Can Detect What Chrome Extensions You've Installed

Comments Filter:
  • by Anonymous Coward on Saturday March 17, 2012 @03:53AM (#39387449)
    Yet another way that IE is better than Chrome.
    • by Centurix (249778)

      That IE can't detect what Chome extensions you have installed? I'm sure given time and the history of IE it probably doesn't need an extension to tell if you're pregnant...

      • by WrongSizeGlass (838941) on Saturday March 17, 2012 @07:08AM (#39387975)

        I'm sure given time and the history of IE it probably doesn't need an extension to tell if you're pregnant...

        An extension is still going to be required to get someone pregnant.

        • by Anonymous Coward on Saturday March 17, 2012 @09:16AM (#39388467)
          Some would suggest that if you're using IE you're already screwed
          • Re: (Score:2, Funny)

            by Anonymous Coward

            Some would suggest that if you're using IE you're already screwed

            Ahh.. but that type of screwing can't get you pregnant.

            • by youn (1516637)

              Some would suggest that if you're using IE you're already screwed

              Ahh.. but that type of screwing can't get you pregnant.

              who knows... imagine a woman is using a period tracking extension and the person is mislead to think she won't get pregnant

              • by hairyfeet (841228) <bassbeast1968@gm[ ].com ['ail' in gap]> on Saturday March 17, 2012 @12:07PM (#39389611) Journal

                Cute but this is a REALLY bad thing as if this gets out websites could use this to detect ABP and block content until you allow them to spam you with ads. Personally and considering how many pieces of malware comes from ads a website has to PROVE they are worthy of showing me ads before I allow them. If you wish to be given an ABP exception you should have to have an appeal on your site where you explain what makes your advertising trustworthy, explain what ads are and are not allowed and if you state a good case i'll be happy to add an exception and i'm sure many others will as well.

                Lets face it guys, we really wouldn't need extensions like ABP if the ad companies hadn't turned into giant douchebags. can't infect a system with a plain text ad, but the companies wanted more "attention grabbing" ads so we have what we have now where you pretty much HAVE to use an adblocker just to surf the web with your sanity intact. Try spending an hour surfing the web with a browser with ZERO adblocking like QTWeb portable and see just how bad its gotten, its just amazing how much shit they throw up on the screen nowadays. We've ended up in a war with the advertisers who want to snatch your sound and wave their dicks in your face and guys like in TFA showing sites how to make sure you get Gostse'd by the advertisers is SO not good.

                • by sdnoob (917382)

                  Try spending an hour surfing the web with a browser with ZERO adblocking

                  i end up on an adblock-free browser for at least that long every week. it's horrible how much crap there is and just how much it slows down your browsing. so many trackers, so many ads, so many beacons & cookies, so many scripts... from so many third-party domains... so much slower, less responsive, harder to navigate, harder to read, plus much less secure and much more invasive.. the internet just fucking sucks without adblock + n

                  • by hairyfeet (841228)
                    Painful isn't it? I swear i have 12mbps cable and when I have to use IE on a customer's PC its like going back to dialup, its just sooooooo slow. As I found out with QTWeb it isn't IE's fault either, its as you say and so damned many third parties being called that just drag the whole thing down. That is why as a service to my customers the first thing I do is install a browser with ABP, first it was FF, now The Dragon, but in either case compared to running without adblock its like a breath of fresh air. I
                  • by bartoku (922448)
                    What kind of sites are you guys browsing? I have never run an adblocker in my life, I use Firefox, I really have little to no complaints.

                    Just like SPAM, illicit drugs, and NYSNC, I blame stupid consumers for their creation.
                    Someone is trying to buy V1agra, snort something, and listen to pop music.
                    If obnoxious advertisements did not work we would not see them.
                • Dude, you really have that problem? I only go to slashdot and Google, if something is flushed with ads I just leave.

      • by grolschie (610666)

        ... I'm sure given time and the history of IE it probably doesn't need an extension to tell if you're pregnant...

        It wouldn't be so hard to detect web searches for recipes where dirt is the primary ingredient. ;-)

    • Panopticlick, I'm sure we're all familiar with this. In summary, sometimes running IE8 or 9 or whatever is the most popular, is the best way to not draw attention to yourself and one of the best ways to blend in. Obviously the full picture is a more complicated than that but it's interesting.
  • Only a partial list (Score:5, Interesting)

    by ThunderBird89 (1293256) <zalanmeggyesi AT yahoo DOT com> on Saturday March 17, 2012 @03:57AM (#39387465)

    The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...

    • by Intropy (2009018) on Saturday March 17, 2012 @04:03AM (#39387491)

      It got one of four for me. And the one it got was adblock which would be very easy to detect.

    • by Anonymous Coward on Saturday March 17, 2012 @04:11AM (#39387517)

      The way this works is by looking for specific plugins (acessing the manifest.json in the of the extension with the plugin-id). He won't just find every plugin installed, but only the ones he is looking for. On his page he also links to some other site and they have a similar thing working for firefox.

      • by Giorgio Maone (913745) on Saturday March 17, 2012 @04:26AM (#39387581) Homepage
        Two tiny corrections:
        1. He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions [google.com] for GUIDs of all the installable extensions, and he can detect your full extensions list.
        2. There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.
        • by Anonymous Coward on Saturday March 17, 2012 @05:09AM (#39387709)

          All the extensions contained in the chrome extension hub as recent as his last crawl of the entire website, sure. But no, he will not be able to detect all the extensions because you don't need to install extensions through the extension hub.

        • by Anonymous Coward on Saturday March 17, 2012 @05:54AM (#39387837)

          He will find all your installed extensions... that use manifest_version 1.

          "Resources inside of packages using manifest_version 2 or above are blocked by default, and must be whitelisted for use via this property."

          "Consider manifest version 1 deprecated as of Chrome 18. Version 2 is not yet required, but we will, at some point in the not-too-distant future, stop supporting packages using deprecated manifest versions. Extensions, applications, and themes that aren't ready to make the jump to the new manifest version in Chrome 18 can either explicitly specify version 1, or leave the key off entirely."

          https://code.google.com/chrome/extensions/trunk/manifest.html#web_accessible_resources

          • by Anonymous Coward

            That would be all of them for a while yet, as Chrome 18 is still in beta, and

            Setting manifest_version 2 in Chrome 17 or lower is not recommended. If your extension needs to work in older versions of Chrome, stick with version 1 for the moment. We'll give you ample warning before version 1 stops working.

    • by cheater512 (783349) <nick@nickstallman.net> on Saturday March 17, 2012 @04:22AM (#39387563) Homepage

      Its not a 'dump every extension' exploit. It has to check for each one specifically based on a list.
      Your extensions simply aren't on the list.

      • Re: (Score:3, Insightful)

        by wvmarle (1070040)

        AC before you explained how there is actually a dump-all function. The proof-of-concept just doesn't check for all existing plug-ins. Besides, the detection of even a few plug-ins other than via their external behaviour (e.g. not loading ads like ABP does) is bad enough.

    • by Anonymous Coward

      It has a list of extensions to check for. The exploit lets you check for the presence of any extension if you know the extension ID.
      That's slightly less convenient than just getting a list, but it's not that hard to get a nearly complete list of extension IDs.
      I'd say this exploit is about as exploitable as an extension listing exploit is going to get.

    • by Anonymous Coward on Saturday March 17, 2012 @04:50AM (#39387637)

      The detector works by injecting SCRIPT elements referring to chrome-extension://[id]/manifest.json. It checks if this works for several popular extension ids. Common sense would dictate that it should be impossible to load chrome-extension: resources from http: contexts but I checked in a recent Chromium build and the browser just loads the resource. Chromium must be programmed by interns.

      • by iiiears (987462)

        "Chromium must be programmed by Advertisers." /ftfy

      • by Anonymous Coward

        FWIW, the reason Chrome originally allowed this is because it is common for script injected into web pages to want to refer to resources (like images, stylesheets, etc) packaged as part of the extension.

        There is no reason this is directly a security issue because the same-origin policy applies to extensions exactly the same way it does to web sites. Additionally, as an extra security measure we restrict extension pages from accessing additional privileges except when they are run in special blessed subproce

    • by Dan541 (1032000) on Saturday March 17, 2012 @04:53AM (#39387651) Homepage

      It lists zero for me because ScriptNo blocks it.

      If I allow scripting it detects LastPass, Ghostery and ScriptNo.

    • by FireFury03 (653718) <slashdot@NOspam.nexusuk.org> on Saturday March 17, 2012 @07:01AM (#39387957) Homepage

      The proof-of-concept listed only four out of my ten enabled extensions. Among those left out were Google Calendar, UA Spoofer, and Pastebin, among others. I'd say this 'exploit', if we can call it that, has a long way to go...

      That's because you only saw the first part of the exploit.

      The full exploit procedure is this:
      1. Direct someone at a website that lists a few of their installed extensions.
      2. Scan slashdot to find that person moaning about how crap the exploit is and look at the "missed" extensions they list in their comment.
      3. Combine the results of (1) and (2) to acquire a complete list of installed extensions for that person.

    • Perhaps this was a social engineering trick to get people like you all to publicly list all your extensions. ;-)

    • I got this:

      [*] Detected addon: AdBlock (gighmmpiobklfepjocnamgkkbiglidom)
      [*] Detected addon: TinEye Reverse Image Search (haebnnbpedcbhciplfhjjkbafijpncjl)
      [*] Detected addon: Scientific Calculator (npoipmeppdioagbkigdlnpmjphnolaog)
      [*] Detected addon: Personal Blocklist (by Google) (nolijncfnkgaikbjbdaogikpmpbdcdef)
      [*] Detected addon: YoWindow Weather (fanogbnclpilemkifpjeglokomebpnef)

      It missed Backspace As Back for linux, Kill Flash and Keep my Opt-Outs. Oddly, I don't feel violated. I had always, incorre

      • by Tacvek (948259)

        A website can request a list a available NPAPI (i.e. Netscape-style) plugins, however they cannot directly request other browser add-ons like active-x controls, or extensions.

        As an aside:
        Not being able to enumerate Active-x controls is a very good thing, since that would imply either listing every COM object installed on the system, (which effectively includes a list of all major applications installed on your system), or it would require that IE attempt to load each of them that implements the IObjectSafet

    • It got one out of five for me, and that one was google translate, (which also would be easy to detect.)
  • by satuon (1822492) on Saturday March 17, 2012 @04:14AM (#39387533)

    This can be used in a much more mundane way - a website can check if you have Adblock installed, and it can refuse to display its content to you then unless you uninstall it.

    • by wmbetts (1306001) on Saturday March 17, 2012 @04:27AM (#39387585)

      Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."

      • The grandparent stated a fact. He or she did not say it was a problem, just that it was true.

      • by Anonymous Coward on Saturday March 17, 2012 @05:31AM (#39387773)

        Why is that a problem? Its your right to refuse to load content on to your computer and it's their right to refuse to show you their content. Kinda like the old antispam saying "my server my rules."

        And its your right to make it hard to see whether you're blocking and it's their right to make their ads hard to block. So if you want to see the content without the ads then it's a problem for you if you can't, just as if they don't want you to see the ads without the content then it's a problem for them if you can.

        The fact that someone has a right to do something is pretty much completely unrelated to whether their doing it presents a problem. It's my right to buy the last roll of toilet paper in the shop but if you've run out then that can be a problem for you if I do.

      • by FudRucker (866063) on Saturday March 17, 2012 @08:06AM (#39388123)
        I block adds by placing "sticky notes" in strategic locations on my monitor, detect that!
    • by Anonymous Coward

      And you can't get around it by using Incognito mode. Incognito mode automatically disables every Chrome extension and is how I usually check to see if an extension is misbehaving on a specific site. This Chrome extension revealing method isn't affected by Incognito mode and reveals extensions even when they're all disabled.

      You have to go into the Chrome Extensions manager and manually disable each extension if you don't want the website to detect it.

    • by negge (1392513)

      I have seen this behavior once on a blog. After loading the page it redirected to another page (aka. not just a pop-over) telling me I need to disable Adblock Plus if I want to read the blog post. Unfortunately I can't seem to find it at the moment.

    • by msobkow (48369)

      Clue: They've been doing this without this "exploit."

      Personally I don't see why this would be an issue. Doesn't it make sense for a web server to detect the client's plugins, addons, configurations, and to adapt the presentation HTML and XML accordingly?

      i.e. How is this any different from detecting Flash? Or Java? Or whether cookies are enabled?

      Where is the RISK from knowing what extensions you have installed if they're properly configured?

      This reminds me of the panic people have when they first

    • by alexgieg (948359)

      This can be used in a much more mundane way - a website can check if you have Adblock installed, and it can refuse to display its content to you then unless you uninstall it.

      True enough, as I remember finding one site, once, years ago, that did this. In fact, it's actually easy to do in JavaScript: search the page for the relevant elements and do something upon not finding them. But it seems the absolute majority of sites out there just don't think it's worth the effort. Adblocking users are such a minority that the cost of implementing anti-adblocking measures, and keeping them updated in the ensuing arms race, is more than the expected return on investment, as adblockers are

  • Wow. Browser sniffing. What year is it?

  • Doesn't list anything, even if I enable Javascript for its site in NotScripts [google.com] (yet another reason to install this little lifesaver).

  • by 93 Escort Wagon (326346) on Saturday March 17, 2012 @04:42AM (#39387621)

    So let me get this straight - I can click on that link right now in Firefox and it's going to tell me what Chrome extensions I have installed? Unbelievable!

    • by wvmarle (1070040)

      Indeed, I just tried the script in Firefox and it worked 100% correct!

      It detected no Chrome extensions, which is correct as I don't even have Chrome installed, let alone any of its extensions.

      • Re: (Score:2, Insightful)

        by bytesex (112972)

        I tried Chrome the other day for the first time, and I was not impressed. All those things that I'd come to expect from using Firefox in Linux - flash not (immediately) working, websites gratuitously opening new windows in the background, and not a single way to make sure you have a menu or even a 'quit' button - I felt quite unsafe and not-in-control. Every now and then I come into contact with a computing experience the way the rest of the world expects it, and I find it most unpleasant.

        • Sorry you don't like Chrome... I think you'll find the popup problem is probably isolated to a handful of shady sites (I have no such problems myself) and closing all windows effectively quits Chrome anyway. Not sure what Flash is about, it worked out of the box for me.

          Chrome has a very good sandbox model though, and they do a ton of tricks to try and keep it running fast. There's also a built in JS-whitelist functionality I call "NoScript Lite" which works pretty well. Plus you have nice sandboxed exten

  • Guess someone should really post this on the SRWare Iron's forums/mailing list (and other privacy-centered Chromium based browers) so they can disable the functionality in their builds...
  • Detected two of my 8 extensions and listed one that I don't have installed.
  • This "exploit" looks more like begging the question to me. As far as I can remember, every single Chrome extension I have installed warned me that it might share data with the websites I visit before I installed it. It stands to reason that if an extension can share data with a website, that website can detect the extension, does it not?

    I'm not saying that it's ideal behavior, only that it seems to me that Chrome users have already been warned about it by Google itself. If you don't like the behavior, you h

    • by Squirmy McPhee (856939) on Saturday March 17, 2012 @05:28AM (#39387763)

      If you don't like the behavior, you have quite a few options: Remove the extension, disable it, go incognito when you don't want your extensions detected, or simply use another browser

      Hmm ... it seems I may have been a little too quick. When I visit the site running the extension-detection script in icognito mode, it is still able to detect my extensions. Now I wonder if disabling is even effective.

      That said, I don't really think there's anything anybody can learn about me from the extensions I have installed -- at least, not anything that I wouldn't tell a total stranger. Since there are few extensions that don't interact with at least one website, I think that's a good policy to follow even if you're a Firefox user.

      • Their has actually been some research in this area. your extensions can often create a unique identifier allowing sites to track you.

    • by truedfx (802492)
      No, that's not expected behaviour. Extensions can share information with websites, but if they don't, websites should not be able to get anything.
  • A lot of extensions request access to your browser's X, Y, & Z... and sometimes your entire file system (???) But since we (the user/s) wants to use the provided functionality in the extension, we all click "OK". Just from reading those notifications, it is still unclear WHY the extension needs those access permissions, or WHAT the extension might be doing with said access. How can we know/understand more about this process? Where is the source path of the extension & should we just be looking a
  • /. has at least one article, last year I think, that mentioned this fact already.

    This is not a secret and a moderately well known fact.

  • by markdavis (642305) on Saturday March 17, 2012 @09:11AM (#39388451)

    People who use typically choose Chrome (the Google Browser) don't strike me as people who are all THAT concerned about their privacy. It might be a nice browser, but it is closed-source, and heavy into the "Google way" (which to me means to share all your information with Google).

    At least with Chromium, people can see what is going on inside...

    • by MidGe (69308)

      Chromium has bizarre behavior as well.

      With everything that could even be remotely related to Google turned off and cleared in chromium, the browser connects to Google Plus of its own volition, opening a port in the ephemeral group of ports and keeping the connection alive! It is doing this with no activity whatsoever following invocation of the program with a blank home page. What is worse, and by all appearances could be construed as intentionally surrepticious behaviour and perhaps malevolent, it does thi

      • by markdavis (642305)

        Somebody should mod your posting +1 Informative.

        I try to tell people stuff like this, but it seems either nobody believes me, or nobody cares. It seems this is the world we live in now regarding privacy issues- ignorance, denial, or apathy.

        • by MidGe (69308)

          Indeed, I have tried submitting a post here on slashdot and have posted elsewhere including on chromium site.

          It seems that there is little interest in security and privacy.

          It is however a great concern of mine. I guess I go against the grain. :) I posted on this thread knowing that it was only remotely related to the topic in the hope that someone would see it and that it would not affect my karma.

  • I think somebody jumped the gun here, 'cause I'm using Chrome 17.0.963.79 on Ubuntu 11.10, and that "proof of concept" link didn't list any of my extensions.
  • It only detected half of the plugins I have installed.....
  • Since that's my first and foremost extension for everything at all times.

  • The proof of concept proves that you are okay if you have disabled JavaScript by default.
  • huh!
    Last 3 months I developed my tiny web-coding sandboxie, and it was my first work:

    http://www.browserleaks.com/chrome [browserleaks.com]

    Same idea, but it more visual demo, cos it uses apps icons detection.
    By some reason I didn't try to use manifest, and write huge parser to collect 10k db... :)

"Only the hypocrite is really rotten to the core." -- Hannah Arendt.

Working...