Browsers leak installed extensions to sites

Discussion in 'privacy problems' started by siric, Aug 30, 2017.

  1. siric

    siric Registered Member

    Joined:
    Oct 26, 2016
    Posts:
    11
    Location:
    Home
    "Security researchers have discovered flaws in the extensions systems of all modern browsers that attackers may exploit to enumerate all installed browser extensions.

    The attack affects all modern browsers. The researchers confirmed it in Chromium-based browsers, and believe that it affects other browsers like Firefox or Edge which use the same extensions system as well. Firefox's legacy add-on system is also vulnerable to the attack."

    https://www.ghacks.net/2017/08/29/browsers-leak-installed-extensions-to-sites/


    In other news: Resource URI Leak Fixed in Firefox Nightly
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,950
    It was mentioned that Firefox webextensions are not effected:
    but this is not the case:

    https://www.ghacks.net/2017/08/30/firefox-webextensions-may-identify-you-on-the-internet/
     
  3. siric

    siric Registered Member

    Joined:
    Oct 26, 2016
    Posts:
    11
    Location:
    Home
    That's correct, Mozilla's WebExtensions are affected too. Mozilla should be able to fix that easily though, for example by randomizing the ID's each time the browser opens.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,222
    Location:
    Mexico
    I expect Google Chrome takes a different route to resolve this issue unlike Mozilla's way. I use GPOs to whitelist some / blacklist * the rest and I can't see randomization working here. Or perhaps Chrome could manage both techniques to work alongside each other.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,507
    Location:
    The Netherlands
    I don't get it, wasn't it always possible for websites to see which extensions you are using? I thought that's the way that anti-adblockers were working.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,691
    Sure, the effects of some extensions are obvious. But some only do client-side stuff, that servers don't see. Or shouldn't see, anyway.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.